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(54) Tide: NEW OPERATION FOR KEY INSERTION WITH FOLDING 
(57) Abstract 

hn. H ^"^^^^.^^^s^ sysj«/»s With bit-Slice implementation, one embodiment of the method of the present invention, is a new cipher 
based on a mochfication of bit-shce implementation of DES. Therein, the exclusive-or is replaced within the F function with a form of 
muUiphcation ITius. every simultaneous encryption depends in all of the bits of input into the s-box on cvenr other parallel encryotion 
Any inveitable group operation could be used in place of multiplication. The principle requirement is that every input bit will influence 
fnwZ hT" f operation need not be ^sily inveitable. for example, common multiplication using exclusive-or to fold the upper and 
Inv . ^ H ^ i^sul yields a strong candidate. The method of the pi^ent invention uses a caretiil form of folding so that the in^tT^o 
Zh^^'n'^^'T?^ VTi'f '"P"' MultiDES based systems with bit-slice implementation are particularly prefen^. one 

embodiment of the mediod of the present invention. The recommended key schedule for Feistel and other blocks cipher uses the block 
fnr^nfl ?.n^"''' '"'''^"^ ""^^t ^"^ pseudo-random expansion into conveniently sized subkeys. A subkey chaining mode 

lurtl^^^ex Jril^^^^^ ""^^^ 'T^''' '^^'"^ ^^P*'"^ ""'"^^ -"^^^ P^P°«^- A R^istel stnicmre allowing for 

further extension of block length for subkey chaining output is proposed. 



BEST AVAILABLE COPY 



BNSOOCID: <WO ^990841 1A2_L> 



j 



FOR THE PURPOSES OF INFORMATION ONLY 
Codes used to identify States party to the PCT on the front pages of pamphlets publishing international applications under the PCT. 



AL 


Albania 


ES 


Spain 


LS 


Lesotho 


SI 


Slovoiia 


AM 


Armenia 


FI 


Finland 


LT 


Lithuania 


SK 


Slovakia 


AT 


Austria 


FR 


France 


LU 


Luxembourg 


SN 


Senegal 


AU 


Australia 


GA 


Gabon 


LV 


Latvia 


sz 


Swaziland 


AZ 


Azerbaijan 


GB 


United Kingdom 


MC 


Monaco 


TD 


Chad 


BA 


Bosnia and Herzegovina 


GE 


Georgia 


MD 


Republic of Moldova 


TG 


Togo 


BB 


Barbados 


GH 


Ghana 


MG 


Madagascar 


TJ 


Tajikistan 


BE 


Belghiro 


GN 


Guinea 


MK 


The former Yugoslav 


TM 


Turkmenistan 


BF 


Builcina Faso 


GR 


Greece 




Republic of Macedonia 


TR 


Turkey 


BG 


Bulgaria 


HU 


Hungary 


ML 


Mali 


TT 


Trinidad and Tobago 


BJ 


Benin 


IE 


Ireland 


MN 


Mongolia 


UA 


Ukraine 


BR 


Brazil 


IL 


Israel 


MR 


Mauritania 


UG 


Uganda 


BY 


Belarus 


IS 


Iceland 


MW 


Malawi 


US 


United States of America 


CA 


Canada 


IT 


Italy 


MX 


Mexico 


VZ 


Uzbekistan 


CF 


Central African Republic 


JP 


Japan 


NE 


Niger 


VN 


Viet Nam 


CG 


Congo 


K£ 


Kenya 


NL 


Netherlands 


YU 


Yugoslavia 


CH 


Switzerland 


KG 


Kyrgyzstan 


NO 


Norway 


ZW 


Zirab^we 


a 


CdCe d'lvoire 


KP 


Democratic People's 


NZ 


New Zealand 






CM 


Cameroon 




Republic of Korea 


PL 


Poland 






CN 


China 


KR 


Republic of Korea 


PT 


Portugal 






cu 


Cuba 


KZ 


Kazakstan 


RO 


Romania 






cz 


Czech Republic 


LC 


Saint Lucia 


RU 


Russian Federation 






DE 


Germany 


LI 


Lkchtenstein 


SD 


Sudan 






DK 


Denmark 


LK 


Sri Lttika 


SE 


Sweden 






EE 


Estonia 


LR 


Liberia 


SG 


Singapore 







BNSDOCID: <WO ^990841 1A2J_> 



wo 99/0841 1 PCT/IL98/00369 



NEW OPERATION FOR KEY INSERTION WITH FOLDING 

5 

Background: FIELD OF INVENTION 

This invention relates to using a form of multiplication as the key insenion operation 
and related folding methodologies useful to form a shorter input length keyed hash function. 

Bit-slice methodology is used in one of the preferred embodiments of the method of the 
10 present invention. 

BACKGROUND: PRIOR ART 

The classic approach to cryptographic hashing has been proposed by Ron Rivest of MTI 
in a function called MD5 (Message Digest 5, or perhaps Merkle-Damgaard). A theoretical 

15 criticism was brought in the conference called Europcrypt *96 by James Massey in a talk, "The 
difficulty witii difficulty." Massey contends tiiat the a function of similar complexity to MD5 
will invert the function. This criticism holds for all non-keyed proposed one way functions. 

It being understood that where reference is made in an embodiment of the present 
invention to any cryptographic primitive, especially MD5, and derivatives thereof, MultiDES 

20 based systems, subkeychaining mode, as well as MultiDES based systems with bit-slice 
preferably and optionally are employed. A version of MD5-MAC is referred to in Menezes, van 
Oorshot, Vanstone, "Handbook of Applied Cryptography " CRC Press, New York, 1996. 
Entropy, cipher-block-chaining, probabilistically checking for correctness and other 
cryptographic terms are defined in Menezes, et al. Descriptions found for MD5-MAC are not 

25 easily understood, nor is the rationale for the particular construction easily known. 

The inventor of the present invention has proven Massey' s conjecture for a simplified version of 
MD2 (a hash function allegedly by Ron Rivest). Viewed as a whole, all but one step of MD2 is 
an involution. Thus, the inverse function is not just of the same complexity as MD2, but is 
identically the same function. This is a very undersirable property for a hash function. 

30 There exist modifications of MD5 which allow for keyed hashing. However MD5 is not 

deeply understood and has not undergone extensive analysis. Hans Dobertin has found some 
collisions (two 
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inputs yielding the same output) in the hash function MD4, forcing the publication of the additional 
complexity of MD5. 

Another prior art approach is to use classical block symmetric algorithms for hashing. 
CAST is obviously different from the method of present invention in that it uses expansion-based 
5 s-boxcs. Thus, fewer bits (8 bits) yield 32-bit outputs for the s-boxcs. Use of CAST relics on esoteric 
properties of bent functions, it is difficult for many people to understand their s-box design principles 
so as to be able to place the necessary amount of trust in them. 

Whitfield DifSe commented, Eurocrypt *98, to the inventor of the present invention that it would 
take him, one of the founders of public-key cryptography, a full year to understand s-box design. 
10 Thus, the cryptographic community finds significant obstacles to understanding and verifying 
different s-box designs. 

IDEA U.S. patent #5,2 14,703 in its current fonn does not have a block length of 128 bits. It is 
different from tlic method of present invention because a preferred embodiment of the method of 
present invention maintains the overall Feistel structure of DES, changing mainly the key-insertion 

15 and scheduling operations. The operation shown in section 3.4,1 (p.34) (On the design and 

security of block ciphers by X. Lai and J. Massey) differs in content and purpose from the me±od of 
the current invention. In content the operations are performed at once on four jjets of inputs and are 
strictly single algebraic group operations, and in puqiose no extension ofblock length is achieved. 
Outside reviews of IDEA are not widely available due to its relative newness. 

20 Another application of the method of the present invention is in a Message Authentication Code 
(MAC). An approach to accomplish a MAC was brought in the Bracthl U.S. Patent # 4,908,861 
differs from our construction in that we provide folding within the round fijnction and Bracthl does 
so only on the entire DES encryption. The method of the present hivcntion's constiuaion provides 
more though mixing by using a form of multiplication within the round, Tt is unknown how much 

25 ciyptanalysis the MDC2 and MDC4 modes have withstood. 

An extremely different approach to hashing could be construaed using RC5, again by Ron Rivest. 
As he is the author of MD5 above, he favors MD5 for that application. KC5 is obviously ditlerent 
from the method of the present invention in that it uses data-dependent rotations as its principle 
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operation. This operation may have significant drawbacks. In a recent anack on RCS in Eurocrypt 
*98, weaknesses are shown in a slightly modified version. 

The inventor of the present invention had a pan in the earlier stages of the mentioned attack on 
RCS during his attacks on data-dependent rotations as a cryptographic consultant. 

5 RSA U.S. patent #4,405,829 is diflferent from the method of the present invention because the 
method of the present invention uses the same key for encryption and decryption. The system of the 
present invention is based on classical (i.e. Shannon 1949) confiision and dif&ision rather than pure 
algebraic- structures. RSA, due to its algebraic structure, has the multiplicative property, that is 
encryption_of_ a times encryption_of encryption of a product a*h. Thus, RSA is not 

10 appropriate for use as a hash function or to encrypt arbitrary user-supplied data. (For example, see 
Coppersmith, Eurocrypt *96 for some attacks on RSA.) 

An attempt to useDES U.S. patent #3,962,539 in its current unmodiHed fonn would not be 
appropriate because of the tiny key-block lengths. DES is different from the method of the present 
invention because the key insertion operation has been changed, the key schedule revised, and a 

15 methodology of folding introduced to yield larger block and key sizes. The description of the method 
of the present invention hereby incorporates spedfically the patent 3,962,539 by reference to define 
the terms s-box, F Expansion, key schedule, P permutation, (See tables TT-TV.) Descriptions of prior 
an DES implicitly refer therelo. The reader is refened also to FIPS PUB 46-1, Data Encryption 
Standard and FIPS PUB 81, DES Modes of Operation. It being understood that where reference is 

20 made to DES and derivatives thereof as part of an embodiment of the present invention, MultiDES 
based systems as well as MultiDES based systems with bit-slice preferably and optionally are 
employed. 

The U.S. patent of Feistel #3 J^-^MSO was filed in 1971, DES was based on the Feistel structure. 
The reader may refer to a substantially equivalent description in [BiSh93, appendix A], 
25 A bit-slice fast-parallel bit-wise vector implementation of DES is referred to in Biham, E., "A fast 
new DES implementation in software/' Proceedings of Fast Software Encryption Workshop, 
Springer- Verlag, January 1997, 

On page 8, Biliam states that: "Wc can use this fast code to design a new, even faster, and more 
secure cipher, which we call WDES. We convert the code by removing IP, FP, and changing the EPS 
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operations (S boxes followed by P followed by E, as used in this implementation) into S boxes from 8 
to 64 bits. These S boxes can be much better than the original, since each S box affects all of the bits 
of all of the S boxes in the next round (rather than one bit in only six S boxes)." 

A bit-slice implementation relies on bit-wise attribute used for key infiision inside the F function. 

5 It requires redesigning the substitution boxes of DES in the form of logic gates. Biham 

implementation of the logic gates was appropriate for exactly 64-bit machines. The method of the 
present invention is appropriate particularly for 32-bit machines The Biham method for WDES was 
appropriate for exactly 64-bit output s-boxes each. The method of the present invention is 
appropriate parriculariy for 32-bit machines, thus 32-bit output s-box. 

10 Trying to use bit-slice DES for hashing would immediately fail because fimdamentally, it is just a 
collection of DES operations operating in parallel without interaction between them. Bit-slice DES is 
diCVerent from MuliiDES based systems with bit-slice implementation, one embodiment of the method 
of the present invention, because the key insertion operation has changed. Thus MultiDES based 
systems with bit-slice implementation, one embodiment of the method of the present invention, does 

15 not share the equivalence between bit-slice DES and DES. 

The structure of DOS directory file entries is referred to in "PC intern: The Encyclopedia of 
System Programming," Tischer and JennircL Abacus, 1996. The PC Intern document defines a 
variety of terms of the art including "file handle", "opening a file", *TAT\ "hard drive", "hard drive 
serial number', ''sector number'", ''number of read/write heads^' and "cluster." The term "file*' is 

20 intended to include a directory or a direaory tree. An "attribute byte" is a byte within the directory 
entry of a file as defined in PC Intern. 

DiflFcrcntial Cryptanalysis is a methodology for attacking ciphers. Uiham and Shamir teach a^jainst 
a preferred embodiment of the method of the present invention. Biham, E. and Shamir, A., 
Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag, New York. 1993 in 

25 section 4.5.3. 1 of chapter 4 states that *'lf we replace the exclusive or operation within the F function 
by an addition operation we get a much weaker cryptosystcm." The term "F fimction" and other 
a^nvenlional DES tenns .«;uch a.s iiubkey as well a.s; how to decrypt using DES are explained in Biham 
and Shamir's Appendix A, "Description of DES" and/or in the Glossary of the Biham and Shamir 
publication. On page 14, Biham and Shamir remark that "to simplify the mathematical analysis of our 
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attacks, we assume that all subkeys are independent. Attacks on DES with dependent subkeys were 
experimentally shown to have the same probability of success, but the theoretical analysis of the 
probability is much harder." The method described in the theory of the present invenrion grapples 
with issues where carry is present such as in addition or multiplication based operations. In the 
5 theory of present invention, Biham-Shamir assumption implying that success of an attack is 
independent of particular key chosen is shown not to apply. 

I'hc disclosures of ail publications mentioned in the specification and of the publications cited 
therein are hereby incorporated by reference. 

PRIOR ART: DATA ENCRYPTION STANDARD, FETSTKT, STRUCTURE 
10 BACKGROUND: DES (Data Encryption Standard) was developed by IBM with advice from the 
NS A (National Security Agency) of the United States of America. The NSA also made modifications 
lo the S-boxes. DES is one of the most widely employed encryption algorithms. The Data 
Encryption Standard is built as spelled out by the above referenced Biham-Shamir publication. Its 
speed is 12,000 bytes per second on a Pentiimi 120 Mhz machine. 
15 The standard implementation is as follows: 

Inputs: 64'bit key and 64'bit plain-text (Reference is made to figures 14-15,) 

KEY SCHEDULE 

The 64-hil key enters aii inillal perntulalion, which results in a SS-hit key being used. Then on 
each round the 56'bits are split into 28'bit halves. Each half is left circular shifted J or 2 bits 
20 depending on the round. A compression permutation selects 48 out of 56 bits for use in a round. 
FEISTEL STRUCTURE AND DES ROUND 

The 64'bit plain text also undergoes an initial premutation. Then it is split into 32'bit halves. On 
each nmtid, the righl half undergoes an expansion permutation which residls in 48 hits —16 of the 
32-hiLs are repeated. The key hits from the compression /jermutaiion and the input hits from the 
25 e^qxaision permuation are applied the function exclusive-or, and then split into 8 6'bit units, each 
an inpttt to one of 8 S-boxes. The S-boxes consist of 4 rows by 16 colitmns of values from 0 through 
15. I he outer 2 bits of a 6'bit input determine the row (hex: 0,,3) ami t fie tuiddle 4 hits determine 
the column (hex: 0..f). The output is the value contained in the row, column of the S-box. 
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The 8 S'boxes each yield 4 bits for a total of 32. These bits undergo a P-box permutation, which 
mixes these hiis. Fhut/ly, the hils are applied ihe fimuiion exclusive-fir wilh ihe left half of the rtnsnd 
injmi hiis. 7 hen ihe left half becomes ihe right half and the applied ihe ex<:lusive-or function restdt 
becomes the left half, for the start of the next round At the etui of the final round, the right half 
5 remains as is, and the applied the fimction exclusive-or result replaces the left half 

OBJECTS AND ADVANTAGES 

Accordingly, several objects and advantages of the preferred embodiment of the method of the 
present invention arc speed, simplicity of design, cryptographic strength and tlexibihty in key-block 
lengths. Herein the prior art will be assumed to be Triple-DES (DES used three times with two 
10 distinct keys of 56 bits each). 

One advantage and object of the method of the present invention is superior speed relative to 
the prior art. Due to the increased resistance to cryptanalysis and large block size, the method of the 
present mvention achieves better security than triple DES in fewer than 16 rounds. 

Another advantage and object of the method of the present invention is additional larger block 
15 size. This allows for hashing, stream cipher applications, and resistance to birthday attacks wherein 
the same input/output pairs indicate a correspondence within the underlying scheme. In addition to 
the required key-block sizes, the method of the present invention, optionally and preferably, provides 
192-192 key-block siiie and 256-256 key-block size. Tlie speed per byie encrypted is faster on the 
larger block sizes. For encrypting large amounts of data or data with significant local structure, a 
20 large block size such as 256 bits is necessary for security. 

Another advantage and object i.s resi.stance to dilTereniial crypianalysi.s. The a%e of the 
multiplication operation in combination with the complex foldmg causes classical methods of 
differential cryptanalysis difficulty. It is important in any new system to address this approach. 

Another advantage and object is key size and flexibility. The method of the present invention 
25 provides for a variable key size rangmg from 40 bits to 256 bits for its 64 bit block size to 256 bit 
block size modes. Each key bit which is used has an impaa on the resulting encryption. 

Another advantage and object is (lexibiliLy in key .setup time required, .^n embodiment of the 
method of the present invention generates new keys while it encrypts. Thus, key setup takes just one 
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encryption time. In another embodiment of the method of the present invention, the key schedule 
performs any user defined plurality of rounds between sampling material. 

User choice of 4. 8, 1 6, or 32 are recommended due to studied properties of the Feistel 
structure. For example, after 4 rounds, the Feistel structure is "complete.'* Completeness is that each 
5 input bit has the opportunity to influence each s;pecific output bit. As another example, after 1 6 
rounds, the Feistel structure has executed four sets of four rounds each. Thus, should an F function 
be chosen which is substantially similarly to that used in prior art D£S. yet failing to have all the 32 
output bits in each round depend on each input bit, substantially 16 rounds provides completeness 
under less demanding assumptions on the properties of the F function. 
10 Thus, for applications which need to rapidly change keys, a preferred embodiment of the 

method of the present invention does so. For applications which require security against key search, 
another preferred embodiment of the method of the present invention does so. 

Another advantage and object is reusability. The method of the present invention uses the 
i encryption algorithm to accomplish rapid and secure key scheduling. The method of the present 

I 15 invention uses the well-tested E Expansion. S-Boxes. P Permutation and Feistel structure of prior art 

I 

i DBS patent #3,962,539 . The method of the present invention uses commonly available 

multiplication. All of the constant values present in the preferred embodiment of the method of the 
present invention are available in implementations of prior art DES. Using widely available constant 
values increases the confidence level of potential users of the method of the present invention. 
20 Another advantage and object is compact implementation. The method of the present 

invention in the preferred embodiment for every specific key-block size less than a thousand bits each 
and mentioned herein has been implemented in ANSI C in less than 3/4 of the ^ze of a comparable 
DES implementation. 

Another advantage and object is simplicity of design. The method of the present invention 
25 changes the key insertion operation within the F-function to indude multiplication. The folding 
which becomes possible thereby enables arbitrarily long block sizes using a simple and regular 
construction. 

Another advantage and object is that the method of the present invention can control a 
microprocessor to create the output of a hashing algorithm. The embodiment of the method of the 



BNSOOCID: <WO ^99084 11A2_L> 

! 



wo 99/0841 1 PCT/IL98/00369 



8 

present invention with 2S6-bit block size can be used as a keyed or non-keyed hashing fijnction in 
place of MD5. One preferred embodiment of the method of the present invention takes the output 
upper and lower 128-bits of the output to be arguments to the function of exclusive-or to yield a 
single 128-bit output. Another preferred embodiment of the method of the present invention uses an 

5 cxciusive-or of the input plain text with the output cipher text to yield a 256-bit block output. 

Another preferred embodiment of the method of the present invention allows the round input 
to the new F function to be dependent on substantially more than half of the bits of the given block 
size. Another preferred embodiment of the method of the present invention allows the round output 
of the new F function to influence substantially more than half of the bhs of the given block size. 

10 These uvo preferred embodiments differ substantially from tlic classic I'cistcl structure referred to 
herein. 

Another preferred embodiment of the method of the present invention is to use an exclusive-or 
of the round plain text derived input with the round plam text derived output to yield the new plam 
text derived output. 

15 Even if the key were to be published, it would still be hard to invert. 

The advantages would include: 

1 . Smaller input block size of 256 instead of 512. 

This is often more convenient for small data items such as passwords. 

2. Nauiral method for keying built into the cipher. 
20 3. Kasier to understand and clearer design principles. 

Another advantage and object is ability to define a new mode of operation which derives from 
c^caition of the cipher in kcy-gcncration mode and using the newly generated subkcys for future 
encryptions. The key-generation mode also produces cipher text of the deshred plain text. 

Another advantage and object is handling high bandwidth or highly structured inputs whose 
25 structure often remains apparent when using small block size ciphers. The large block size and 

effective mixing which is apparent after a mere four rounds of the cipher provide protection against 
matching based "birthday" attacks as well as scrambling the local patterns better than just CBC mode. 
A fast gate-based implementation is available for large block sizes. 
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Another advantage and object of the method of the present invention is that it does not exhibit 
known weak keys, complementation properties, or have self-complementing keys. 

Another advantage and object of the method of the preseni nivendon is that even in a simplified 
method, the round-dependent masks would cause weak subkeys to be round-dependent. Such a 
5 restriction greatly reduces the usefulness of such a weak subkey to attack the system. 

An advantage and object of a method of the preferred embodiment is application to ATM 
Networks. These networks have a high bandwidth. Thus fast algorithms processing a large block size 
are advantageous here. The increased block size, speed and resistance to cryptanalysis with respect to 
Triple DHS gives TMD an advantage for this application. 
10 An advantage and object of a method of the preferred embodiment is application in cipher feedback 
mode or cipher block chaining mode or subkey-generation chaining mode to yield a stream cipher. 

An advantage and object of a method of the preferred embodiment employs cipher-block-chaining 
(hereinafter CBC) with a random initialization vector (hereinafter TV) generated using counter mode 
and a secret key to yield ciphertext which yields no computational information about the plaintext. 
15 An advantage and object of a method of the preferred embodiment can be employed after 

applying the function of exclusive-or to a plain text with a key stream, and followed by applying the 
function of exclusive-or to a cipher text with a key stream. 

A preferred embodiment of the method of the present invention, TMD, is a CBC based message 
authentication code (hereinafter MAC). Apply the CBC mode to the text after padding (if necessary). 
20 Decrypl the final result using another secret key. This is the MAC result. There is no need for a 

random IV in this case. Some DES based MAC's can be attacked in 2 time due to their small key- 
block size. However, here a block size of a minimtmi of 128 bits would be suitable, making this 
approach far superior to current MAC'S using DES. 

An advantage and object of a method of the preferred embodiment is application to lligh 
25 Definition Television. Satellite and Voice Applications. A large block cipher combined ^th a rapid 
execution time provide TMD with advantages for this application. The dependence on highly defined 
and structured data means that reliance on cipher-block-chaining with block ciphers of a short length 
is not recommended. One can learn the plain text exclusive-or firom a repeating of cipher blocks. 
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Another advantage and application being in accordance with another preferred embodiment of the 
present invention is a system for protecting confidentiality of intbrmation written on a notebook 
computer, the system including: an automatic file-by-file information protector operative to protect a 
plurality of files on an automatic file-by*-file basis, the information protector including: a symmetric 
5 encryptor using a symmetric ciyptosystem to encrypt an individual file« thereby to generate an 

encrypted individual file; and a notebook storage manager operative to store the encrypted individual 
file on a notebook computer. 

Another object and application being in accordance with another preferred embodiment of the 
present invention is a system for protecting confidentiality of information written on a hard disk, the 
10 system including: a symmetric file encryptor using a first symmetric cryptosystem to encrypt a file 
having a selcctably known file key; and a symmetric file key encryptor operative to encrypt the 
selectably known file key using a second symmetric cryptosystem and a selectably known master key 
derived fiom a selectably known pass phrase using a cryptographically strong hash fiinction. 

Further objects and applications of the present invention will become apparent from a 
15 consideration of the drawings and ensuing description, 

DESCRIPTION of DRAWINGS 

The present invention will be understood and appreciated ft*om the following detailed description, 
taken in conjunciion with the drawings in which: 

Figure 1 is an exemplary illustration of a preferred method explairung how to make and use an 
20 encryption and decryption ponion of the method of the present invention; 

Figure 2 is an exemplary illustration of a preferred method explaining how to make and use the 
key insertion portion of the method of the present invention; preferably, the form of multiplication 
chosen will be common product of the two arguments plus exclusive or of the arguments; 

Figure 3 is an exemplary illustration of a preferred method explaining how to make and use an 
25 operation on two inputs yielding a double-sized result portion of the method of the current invention; 
preferably, fold half of the double-sized result into a companion execution of the method. 

Figure 4 is an exemplary illustration of a preferred embodiment which explains how to make and 
use the key schedule portion of the method of the present invention; 
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Figure 5 is an exempiaiy illustration of a preferred embodiment which explains how to make and 
use the substantial key-block size portion of the machine of the present invention; 

Figure 6 is an exemplary illustration of an optional embodimenl which explains how lo make and 
use an improved key schedule portion of the method of the present invention: preferably., including 
5 feeding the full 64 key bits per block into a rearranged PC2 from prior art DES; 

Figure 7 is an exemplary illustration of a preferred embodiment which explains how to make and 
use the form of multiplication portion of the method of the present invention; 

•Figure 8 is an exemplary illustration of a preferred embodiment which explains how to make and 
use a permutation to span multiple blocks portion of the method of the present invention; 
10 Figure 9 is an exemplary illustration of a preferred embodiment which explains how to make and 
use a circuit-based logic-gate implementation of the machine of the present invention; 

Figure 10 is an exemplary illustration ofa aUeniative embodiment which explains how lo make 
and use masks derived from DES s-box entries; table I, a Key Selection Permutation Table in an 
improved key schedule designates which master key bits will be selected for each round subkey; 
15 Figure 1 1 (top) is an exemplary illustration ofa preferred embodiment which explains how to 
make and use inputs of master-key and predetermined initial keys to yield master key derived 
subkeys; 

Figure 1 1 (middle) teaches to make and use inputs of master-key and predetermined initial keys to 
yield master key derived subkeys; these subkeys are used to encrypt in key-generations mode a plain 
20 text, vAnch in turn generates additional subkeys as well as a cipher text; 

Figure 1 1 (bottom) teaches how to make and use subkey-feedback-mode; 
.i'igurc 12 is an exemplary illustration of a preferred embodiment of the mctliod of the present 
invention which explains how to make and use the encryption and decryption portion of the method 
of the present invention. Tt differs from figure 1 in that it reches fewer optional elements; 
25 « Figure 13 is an exemplary illustration of a preferred embodiment which explains how to make and 
use the key schedule portion of the method of the present invention; it differs from figure 4 in that it 
recites fewer elements and generalizes to non-Feistel methods; 

Figure 14 is an exemplary illustration of a preferred embodiment which explains how to make and 
use an internal round fiinction portion of the method of the present invention; 
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Figure 1 5 is an exemplaiy iiiustration of a preferred embodiment vAdch explains how to make and 
use a Feistel stnicture tor Multi-DFS portion of the method of the present invention; 

Figure 16 is an exemplary illuslralion of a preferred embodimenl which explains how lo make and 
use a particular form of multiplication portion of the method of the present invention: 
5 Figure 1 7 is an exemplary illustration of a preferred embodiment which explains how to make and 
use an example round fiinction for TMD using two MultiDES encryptions in tandem; 

Figure 1 8 is an exemplary illustration of a preferred embodiment which explains how to make and 
use an example round function TMD using three MultiDES encryptions in tandem; 

1-igurc 19 is an exemplary illustration of a preferred embodiment which explains how to make and 
10 use an example round function TMD using four MultiDES enciyptions in tandem; 

Figure 20 is a simplified flowchart illustration of a preferred method for proteaing dau on a 
notebook computer; 

Figure 2 1 is a simplified flowchart illustration of a preferred method for protectmg confidentiality 
of information written on notebook con^iuter, the method being constructed and operative m 
\5 accordance with a preferred embodimenl of the present invention; 

Figure 22 is a simplified flowchart illustration of a use of a slightly modified MD5-MAC message 
authentication code method construaed and operative in accordance with a preferred embodiment of 
the present invention; 

Figure 23 is a simplified flowchart illustration of a preferred method for generation of file keys 
20 forming a part of the method of figure 22, using contents of DOS directory entries as plain texts and 
keys to generate a file key; 

Figure 24 is a simplified flowchart illustration of preferred method tor pertbrming an encryption of 
a file using the method of figure 23 to generate file keys and the output of the method of figure 22 to 
protect the file key; 

25 Figure 25 is a simplified flowchart illustration of preferred method for performing an encryption 
of a file on a sector by sector basis using unique information based on the location on the particular 
hard disk and cipher-block -chaining within the sector; and 

Figure 26 is a simplified flowchart illustration of preferred method for performing the method of 
figure 25 wherein the encryption is fast parallel bit-wise vector implementation of DES with a fonn of 
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multiplication substituted for exclusive or when combining the subkey with the plaintext derived 
input. 

Figure 27 is a simplified flowchart illustration of a DES encryption method constructed and 
operative in accordance with a preferred embodiment of the present invention; 
5 : Figure 28 is a simpUfied flowchart illustration of a first preferred method for performing an n*th 
DES round forming part of the method of figure 27, using addition to combine subkey with plain text 
derived input; 

Figure ::29 is a simplified flowchart illustration of a second preferred method for performing an n*th 
DES round forming part of the method of figure 27; 
10 Figure 30 is a simplified flowchart illustration of a modification of figure 2 in which first and 
second permutations and mapping are employed to perform the DES round. 

Figure 3 i is a simplified flowchart illustration of a third preferred method for perfonning an n'th 
DES round fonning part of the method of figure 27; 

Figure 32 is a simplified flowchart illustration of a DES encryption method constructed and 
15 operative in accordance with another preferred embodiment of the present invention; 

Figure 33 is a simplified flowchart illustration of a fourth preferred method for perfonning an n'th 
DF.S round fomning part of the method of figure 32^ using multiplication to combine subkey with 
plain text derived input; 

Figure 34 is a simpUfied flowchart illustration of a fifth preferred method for performing an n'th 
20 DES round fonning part of the method of figure 32; 

Figure 35 is a simplified flowchart illustration of a modification of figure 33 in which first and 
second permutations and mapping are employed to pertbrm the DES roimd; 

Figure 36 is a simpUfied flowchart illustration of a sixth preferred method for performing an n'th 
DES round forming part of the method of figure 32; 
25 Attached herewith are the foUowing appendices which aid in the imderstanding and appreciation of 
one preferred embodiment of the invention shown and described herein: 

A separate section entitled Theory of present invenlian has been printed by itself, yet is to be read 
as an integral part of the disclosure. These findings build on research findings which indicate that 
replacing the exclusive-or fimction with an addition operation does not always yield a weaker 
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cryptosystem, contrary to the teachings of Biham and Shamir in Section 4,5.3. 1 of Chapter 4 of the 
alKwe-reterenced Biham-Shamir publication. 
FORM OF MULTIPLICATION 

An advantage and object of employing a form of multiplication to accomplish key insertion being 
ability to demonstrate in a Theory of Operations section the strength of method of the present 
invention by attacking using differential cryptanalysis on a simplified version. The simplification is 
employing as a form of multiplication as common multiplication with cany discarded. 

Attempts at using differential cryptanalysis with a ratio to cancel the key insertion face building 
difference distribution tables over all 1 6 to 32 bits at once due to interference with the P Permutation. 

Thus, the preferred embodiment of the method of the present invention employs a fonn of 
multiplication in place of exclusive-or as the key insertion operation due to its better mixing and 
consequent resistance to cryptanalysis. 

Another advantage and object of a preferred definition of multiplication is that it allows a pair of 
values to be blended whereby the upper half of one product has the exclusivc-or function applied with 
the lower half of the companion product, 

A form of multiplication can be seleaed fi-om the group including: 

(a) in the algebraic sense, i.e. any operation on two arguments yielding a third e.g. elliptic curve 

(b) conuTion inuUipVicaiion 

(c) multiplication over a ring 

(d) multiplication over a field (or nearly a field) 

(e) multiplication over a Fermat or Mersenne field (or nearly a field) 

(f) common multipUcation, yielding an upper and a lower, linear combination thereof 

(g) common multiplication of n inputs to yield a interum product, exclusive-or between subsets 
of those n inputs to yield a mix, optionally concatenate distinct mixes to yield length equal to interum 
product, sum together interum product and (concanated) nux to yield a product. 

(h) any of the above forms of multiplication on a plurality of arguments 

(i) any of the above forms of muhiplication where at least one argument is a constant 

It being understood that operations described herein for brevity as a form of multiplication may 
have their implementation optimized to eUminate a common multiplication operation, represenution 
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not >vithstanding it shall still be considered herein a form of multiplication. Clearly, any multiplication 
can be rewritten in the fonn of additions and shifts, yet it is still understood to be multiplication. 

Reference is made lo figure 2. Tlie prefeiTed embodimeni of the present invention employs a form 
of multiplication to do key insertion. Form employed can be multiplication over a Fermat field such as 
5 2^*+l. Alternatively, the method of the present invention employs common multiplication with carry 
discarded as the form of multiplication. Optionally, a form of multiplication includes addition or 
multiplication of points on an elliptic curve. (Sec for example, Silverman, Arithmetic of Elliptic 
Curves, 1986, Springer- Veriag.) Optionally, any operation in which the operator is reused in 
object-oriented languages such as Ada or C-h- is a form of multiplication. 

10 In a preferred embodiment of the method of the present invention, a fonn of multiplication can be 
understood as the operation on a, b defined by a'^h'^ia exclusive-or b\ where ♦ is common 
multiplication, + is common addition, and exclusive-or is common exclusive-or. This definition of a 
form of multiplication is novel and non-obvious. The term "product*' is defined herein to refer 
typically to this form of multiplication, wherein the two variables used for illustrative purposes only 

15 could be a plurality of variables such as exclusive-or h exdusive-or c). Alternatively, the 

term ^^multiplication" in particular with a plurality of variables, could be defined as a*b*€'^(a ^b « 
32 \ h ^ c << 16 \ a). Alternatively, the form of multiplication with a plurality of variables is 
defined asa*A*c*£/i (a'^h'^ « 4H \ 32 j cV'^a « 16 \ d'^h). Following ANSI C 

conventions^ is exclusive-or is binary-or, and "« means shift left x bits. Implicitly, the 

20 example herein assumes a word size of 16 bits, however, this is strictly exemplary as any word size 
could be suitably employed by dividing "x" by 16 and multiplying by the desired word size. 

The term ''resultant product'* is thcrctbrc typically the result of such blending of a plurality of 
products. Looking at the resultant product, it substantially retains the benefits of modulo 
multiplication using the common definition of muhiplication. 

25 In another embodiment of the method of the present invention, a form of multiplication can be 
understood to be the operation on a, b defined by a^b wherein the variable liwer is assigned the 
lower half of the product and the variable upper half of the product. The result shall be a linear 
combination oi upper ^ and lower for example for constants cl, c2: cJ^upper^c2* lower. Alternatively, 
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understand linear combination to be cl^upper exdu^ve-or c2* lower ^ as well as substantially similar 
constructions. 

When present in a Feisiel siruclure, a key-inserler may use any form ormuUiplicalion desired. The 
term "key-inserter'* is not intended to be used where the form of multiplication is multiplication 
5 modulo 65537 to form a first product followed by addition modulo 65536 using that product 
followed by muhiplication modulo 65537 to form a second product followed by addition modulo 
65536 between the first and second products. 

When eiTiplo>Hni; a multiplier, an exception is treating a one or more input values distinctly. An 
non-exclusive indicator of exceptions are conditional constructions in programming languages, A 
10 logarithmic number of exceptions is a limited number of conditional constructions, for example, less 
than 16 for the field modulo 65537. 

If the length of each integer is 8 bits and if multiplication over a ring is employed then the ring 
may^ for example, be modulo 257 wherein 0 is considered to be -1. If the length of each integer is 16 
bits and if multiplication over a ring is employed then the ring may. for example, be modulo 65537 
15 wherein 0 is considered to be -1 . If length of each integer is 32 bits and if muhiplication over a ring is 
employed then modulus of the ring is typically slightly in excess 

Optionally, justification for broadening definition of a form of multiplication to include variant 
forms is due to mathematical fact that multiplication modulo 2'^n+l can be calculated in such a linear 
combinaLion manner with subtraction used suitably to yield coneci identity in linear combination. 
20 Alternatively, a form of multiplication is understood to include multiplication over a ring. 

Alternatively, a form of multiplication is understood in the algebraic sense thus an operation on 
two arguments yielding a third, Cleariy, addition or exponentiation is understood in algebraic context 
to be a form of multiplication. Thus, language such as performing a round function employing a 
form of multiplication is understood to include employing common addition, addition with carry 
25 discarded, common muhiplication and common muhiplication with carry discarded, and others. 

For example, employing a key insertion operation of a form of multiplication within DES, would 
describe add-DES wherein addition is substituted for exclusive-or in the round function. Use of non- 
symmeiric operation.^ such as subtraction, or division are herein considered to be a form of 
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multiplication. In an embodiment of the present invention, division over a field is accomplished by 
finding the multiplicative inverse, followed by standard multiplication over the field. 

An advantage and object of the present invention h achieving a product which beneiits from the 
long-range effects of cany present in multiplication together with the preservation of hamming 
5 weight independence provided by cxclusive-or. An alternative form of multiplication in which zero is 
treated as negative one, is believed alternative to a preferred definition of the form of multiplication. 
Through experimental work, the alternative form of multiplication was shown to have so-called 
"weak keys". Keys with either a high or low Hamming weight would cause less satisfactory resiiits 
using the alternative form. Preferably, the implementation of the above definition of product as a 
10 plurality, yields an additional novel and imobvious way of mixing values in companion executions of 
modified round fiinctions. 

An advantage and object of the present invention to achieve as thorough mixing of distant bits 
as is possible in modulo multiplication. 

Another advantage of the preferred embodiment of the present invention with a preferred 
15 definition of multiplication is that it allows a p^r of such resuhant products to be blended. 

FORM OF FOLDING 

A form of folding operates on a pair of double-length results of a form of multiplication to yield a 
single double-length result. A preferred embodiment of the present invention performs exclusive-or 
between the upper half of a first double-length result and the lower half of a second double length 

20 result to yield a first mix. Preferably, in addition exclusive-or is performed between the lower half of 
the first double-length resuh and the upper half of the second double length result to yield a second 
mix. Further preferably, concatenate the first mbc to the second mix to yield a folded result. 

Herein a form of folding includes performing at least one application of an element selected fi^om 
the group consisting of a form of multiplication, a form of folding, and a form of blending. 

25 Folding refers to a wide variety of operations available on computers, typically such operations are 
group operations and occassionally the operations are bit-wise. Folding a single-size portion into a 
companion execution implies application of a group operation between all of the single-size portions 
to be folded in^ yielding a single size result. Typical folding can be addition or exclusive or. 
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Extended folding may involve pseudo-random &q)ansion, perhaps employing a form of 
multiplication, in proximity to application of a group operation. 

An object and advantage of the method of the present invention is to create a pair of outputs 
whose individual bits vary with each of a plurality of inputs. 
5 Another objea of the method of the present invention is to create a pair of outputs wherein 
individual bits vary with each bit of a plurality of inputs. 

Another object and advantage of the method of the present invention is to extend block length of a 
cryptographic primative. 

FORM OF BT.FNDTNC 

10 A form of blending operates on a pair of double-length results oiaform of folding or a form of 
multiplication to yield a single double-length result. A preferred embodiment of the present 
invention performs exclusive-or between the upper half of a first double-length result and the lower 
half of a second double length result to 3aeld a first mix. Further perform exclusive-or between the 
lower half of the first double-length resuk and the upper half of the second double length result to 

15 yield a second mix. Further, concatenate the first mix to the second mix to yield a blended resuU. 
Optionally and preferably, an embodiment of the present invention on a pair of double-length 
inputs perfbrras a concatenation of the upper half of a double-length input and the lower half of the 
other double length input to yield a blended result. 

An optionally and preterabiy, a form of blending operates on a /i size input, yielding a single-size 

20 result. Optionally, a form of blending operating on a n size input, yielding a single-size output may 
employ a tbrm of muhiplication. Further optionally, the form of multiplication employed may be 
acclusivc-or. 

The result of preferably more than one distinct multiplication are combined in a blending 
operation. The blending operation on two arguments a, h returns 32-bit result wherein the upper half 
25 of the resuh is the lower half of a. The lower half of the result is the upper half of b. Preferably, the 
blending arguments a and 2^ arc chosen so that, when possible^ a depends on different plain text 
derived inputs irom A. Likewise, for every output of the multiplication it must appear exactly once on 
the left and once on the right arguments of the blend. 



BNSOOCID: <WO. 



.990841 1A2J_> 



WO 99/08411 PCT/1L98/00369 



19 

Thus, each s-box's input depends on a subkey-based pseudo-random e?q>ansion of half of the bits 
of the plain text derived input. Moreover, the bits are only 16 bits out of each 32 bit input block. 
Thu!;, ihe four s-boxes are two pseudo random expansions of half the input bils and I wo pseudo 
random expansions of the other half of the bits. For iiiustrative purposes, the embodiments feature 16 
5 bit word*size, however any suitable word-size would be appropriate. The reader mentally divides 16, 
32 where they appear in the text by 1 6 and multiply by the new word size. 

Blending refers to a wide variety of operations performed with computational devices such as PC 
computeri;; typically such operations are permutations of bits. An example of an effeciive blending is 
selecting two groups of 1 6-bits out of distinct 32-bit quantities. Another example of blending would 
10 be selection of every fourth bit from four quantities. Another example of blending would include a 
plurality of group operations on the selected bhs. 

A combiner is a logic curcuit which performs folding or blending as necessary. Combining is 
cither folding or blending as necessary. Combining may also be forming a third permutation wliich is 
equh/alent to a composition of two given permutations. Combinii^ may also be forming a third 
15 mapping equivalent to a composition of two given mappings, for example s-boxes followed by e 
expansion or P permutation followed by E expansion. 

Definitions appearing in this section are hereby extended to include deiintions and implicit usage 
elsewhere in ihe lexi. For example., a Ibnn of muUiplication, folding, and blending are understood lo 
be broadened by descriptions elsewhere in this document and in figures. 
20 SUMMARY: METHOD AND MACHINE OF PRESENT INVENTION 

The method of the present invention provides symmetric encryption using a form of multiplication 
to accomplish key insertion and allow for extension of block length. 

Reference is made to figure 1 . According to a preferred embodiment of the present invention 
there is provided a method for performing a round function of an iterated encryption for a plurality of 
25 32-bit input blocks^ the steps of the method being performed by a data processor, the method 

comprising the steps of: numbering the plurality of input blocks from "0" to "n" with an mput block 
number; spliuing each of ihe plurality of input blocks inlo an upper half and a lower half lo produce 
plain text-derived input; combining plain text -derived input with a plurality of round-dependent 
subkeys according to a form of multiplication to form a blended product; applying a plurality of s- - 
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boxes of the F function of a D£S encryption algorithm to blended product: and applying the P 
permutation of the F fiinction of a DF.S encryption algorithm to output of the s-boxes. An advantage 
and object is that each of the round output bits depends on at least half of the round input bits. 
Another advantage and object is enhancement of resistance to differential ciyptanalysis. A number of 
5 failed attempts have been made in the prior art to extend the block length beyond 64-bits. The classic 
failure in the prior art is G-DES. (Documented and broken in rBiSh931. ) 

Reference is made to figure 2. A preferred embodiment of the machine of the present invention 
for encrypting comprising: a key-inserter which employs a form of muhiplication for key insertion, 
whereby the block length of the encryption can be extended. Thus, localized visible structure is 

10 scrambled, particularly useful when data represents a picture or mobile set of pictures- 
Reference is made to figure 3. Another preferred embodiment of the machine of the present 
invention wherein multiplication occurs in chunks at least as large as single bytes. An object and 
advantage is that the number will fit into common hardware re^sters. Another object and advantage 
is that the chunk may be chosen to apply over a Fermat field. 

15 Tn the mentioned preferred embodiment of the machine of the present invention, fiirther wherein 
the individual multiplications are carried out over a Fermat field. An object and advantage of 
multiplication over a field is that the result is known to be a permutation. Another advcintage and 
object of multiplication over a field is that for any known output, there exists a key. which v^ll 
transform the output to any desired input value. This property is referred to throughout this text 

20 hereinafter as a "group" operatioa An operation with is substantially similar to this group operation 
will be called a "group-like" operation. An object and advantage of a group operation is that the 
output of the multiplication carries no information about the plain text input. 

In the mentioned preferred embodiment of the machine of the present invention, whereui the form 
of multtpUcation in the key inserter comprises: common multipUcation of arguments to yield a 

25 product, designating the upper and lower half of the product, combining the upper half with the lower 
half using cxclusivc-or to form a final produa. An object and advantage of this embodiment is that 
the final product maintains behavior of modulo multiplication without the clear algebraic structure. 
Another object and advantage of the fomx of multiplication is enabling folding the result of the form 
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of multiplication with itself or another companion execution. Another object and advantage is that the 
machine can be generalized to more than two arguments. 

Tn the mentioned preferred embodiment of the machine of the present invention, the form of 
multiplication in the key inserter comprises: common multipUcation of arguments to yield a first 
5 product, common multiplication of other arguments to yield a second product, designating a upper 
and lower half of the first product, designating an upper and lower half of the second product, 
combining the upper half of the first product with tiie lower half of the second product using 
exclusive-or to form a first final product. Combining the upper half of the second product with the 
lower half of the first product using exclusive-or to form a second final product. An object and 

10 advantage of the form of multiplication is that the resultant apparatus for folding solves the long-felt 
need for a 128rbit block method. Another advantage of the fonn of multiplication is that the machine 
can be generalized to more than two arguments. 

In the mentioned preferred embodiment of the machine of the present invention, the fonn of 
multipUcation in the key inserter comprises: circuits to perform multiplication on a plurality of 

15 ailments to form a first product. Ix)gic circuits perform exclusive-or on the plurality of ar^ments 
to form a second product. Logic circuits to perfonn addition between the first product and the 
second product to form a gorilla product. An advantage of the form of multiplication is that the result 
i.s a pseudo-random expansion ofone of the arguments. An objeci oflhe fonn ofmuUiplicalion is thai 
it enables folding the result of the form of multiplication with itself or another companion execution. 

20 Another advantage of the form of multiplication is that the machine can be generalized to more than 
two arguments, A preferred embodiment of the folding machine of the present invention wherein the 
gorilla product is provided to a machine compriring: a counter which coimts the plurality of 
arguments, calling it n. A repeater provides a new set of arguments and calculates n gorilla products. 
A splitter which divides each gorilla product into n pieces, each with index / fi'om 1 ..n. A combiner 

25 which combines using exclusive-or u pieces such that the combine will take exactly one piece fi^om 
each gorilla product, and exactly one piece of any gorilla product with the index i for ail 1. The 
combiner yields a plurality of/j folded products. A prefeired embodiment oflhe machine oflhe 
present invention, wherein the form of multiplication m the key inserter comprises: (a*b) i (a 
exclusivc-or b). whereby the result is a pseudo-random expansion ofone of the arguments. 



BNSOOCID: <WO. 



.990841 tA2J„> 



wo 99/0841 1 PCT/IL98/00369 

22 

Another preferred embodiment of the method of the present hivention for operating a general 
purpose data processor of known type to enable data processor to encrypt comprising: employing an 
operation on two inputs yielding a double-size result, folding half of result into a companion 
execution. An advantage and object is that a shorter input length keyed hash function can be built. 
5 Another advantage is that pass phrases can be processed without excessive padding. 

Reference is made to figure 4. A preferred embodiment of the method of the present invention for 
constRicting a key schedule for an encryption algorithm, the steps of the method bcmg performed by 
a data processor, the method comprising the steps of: determining a firs^t set of at least one subkey for 
the encryption algorithm; encrypting a master key according to the encryption algorithm by using first 
10 set of at least one subkey to product a cipher text, repeating the encryption of the master key for at 
least a first number of rounds required to achieve dependence of every bit of cipher text on each bit 
of master key; conlinuing ihe encryption of the master key for an integral number of rounds, integral 
number being at least one, extracting subkeys fi-om the output of the roimd, further continuing the 
encryption of the master key and extraction of subkeys until a second set of subkeys has been 
15 generated. An advantage and object is that the key schedule solves the need for an expandable^ 
generalizable, fast, user defined speed, well-mbced key schedule. 

A preferred embodiment of the method of the present invention wherein the first set of at least one 
subkey is derived from DES s-box entries. 

A preferred embodiment of the method of the present invention wherein the second set of at least 
20 one subkey is derived from the output of the round fimction in the encryption algorithm. 

A preferred embodiment of the method of the present invention fiirther comprising the steps of: 
encrypting the cipher text with the second set of at least one subkey according to the encryption 
algorithm to produce fiirther encrypted cipher text, with the object and advantage of creating a thurd 
set of subk^s for use in encryption of actual plain text. 
25 Reference is made to figure 5. Another preferred embodiment of the machine of the present 

invention for encrypting comprising: circuits which employ at least a 128-bit key and block size. An 
objecl and advantage i.<; thai the machine is suitable as a hash function. An additional advantage is 
employing the current invention instead of a human needing to provide and debug a distinct, less well 
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understood specialized hash. An unexpected result is that every bit of key and every bit of plain text 
cause every single bit of the resultant cipher text to become unpredictable. 

Another preferred embodiment of the machine of the present invention for encrypting further 
comprising the circuits providing the large key size are implemented by using the circuits providing a 
5 large block size. An advantage is that the machine key schedule can be accomphshed in zero 
additional time. An object is that the machine mixes rapidly over the entire block size. Another 
advantage is the generality of the key schedule which provides a rapid key schedule design ready for 
new ciphers. 

. Another preferred embodiment of the machine of the present invention for enciypting further 

10 comprising an optimal sorting network. An advantage of employing an optimal sorting network is to 
ensure complete mbdng within each round. An object of employing the generalized construction of 
optimal sorting methods allows the machine to be extended to arbitrary sizes. An advantage of 
accomplishing extension of block size to arbitrary sizes allows larger proportions of the output to be 
disclosed together, yet reversal of the whole process remains difficult. 

15 Reference is made to figure 6. Another preferred embodiment of the method of the present 

invention for operating a general purpose data processor of known type to enable data processor to 
encrypt employing a key schedule comprising: feeding the full set of 64 key bits per block into a 
reaiTanged PC'2 from DES. An object of feeding the lull 64 bit.^ per block into a rean anged PC2 from 
DBS is that all of the key bits provided by the user are employed. An advantage of employing all of 

20 the key bits is that exhaustive search on such a modified method would require guessing the full 64 
bits. For a:number of years» attempts have failed to generate an accepted key schedule that solves the 
iongrfclt need for using the all the bits in the mastcrkcy. 

Another preferred embodiment of the method of the present invention for operating a general 
purpose data processor of known type to enable data processor to encrypt employing a key schedule 

25 further comprising: entries of PC2 with values above 28 have four added to them. An object of 

adding four to values above 28 is that a schedule will be balanced left and right halves. An advantage 
of a selected key table (nee specifically figure 10, table I) is that round subkey bits depend equally on 
any given master key bit. 
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Another preferred embodiment of the method of the present uivention for operating a general 
purpose data processor of known type to enable data processor to encrypt employing a key schedule 
further comprising: the key schedule rotatioii is carried out 64 bits at a lime rather than in iwo gi*oups 
of 32 each, with an advantage of eliminating the distinction between two halves present in the prior 

5 ait. An object is an eavesdropper would find it more difficult to isolate parts of a key. 

Another preferred embodiment of the method of the present invention for operating a general 
purpose data processor of known type to enable data processor to encrypt employing a key schedule 
further comprising: the subkey is made dependent on the serial number of the parallel execution, with 
an advantage that even if masterkey repeats exactly that subkeys will not. An object of causing 

10 output firom a system vAth a repeated master key and repeated data to be distinct, causes the typical 
demonstration of a product built according to the method would be more pleasant to humans. 

Another prefeired embodiment of the method of the present invention for operating a general 
purpose data processor of known type to enable data processor to encrypt employing a key schedule 
fiirther comprising: the subkcy used is derived fi-om finding a mulriplicative inverse over a field, wth 

15 an advantage that the key insertion operation becomes thereby modulo division. An object of modulo 
division is that such a key insertion operation is no loiter argument order insensitive. An advantage 
of the order sensitivity is that interchanging plain text and master key give different results, even for a 
key insertion operation. 

Another preferred embodiment of the method of the present invention for operating a general 

20 purpose data processor of known type to enable data processor to encrypt employing a key schedule 
further comprising: the zero sub key is replaced by a round dependent mask value. An advantage of 
usmg a round dependent mask is that weak keys arc replaced with arbitrary and better values. An 
object of employing a round dependent mask value is that the typically demonstrated zero master key 
provides a decent mixing function. 

25 Reference is nuide to figure 7. Another preferred and optional embodiment of the method of the 
present invention described in figure 1, wherein the form of multiplication features the steps of: 
nmkiplying a plurality of bits from the plain text-derived input and a plurality of bits from the plurality 
of round -dependent sub keys to form a common multiplication product; performing an cxclusivc-or 
fiinction on a plurality of bits from the plain text-derived input and a plurality of bits firom the 
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plurality of round-dependent sub keys to foim a balanced product. The step of combining the plain 
text-derived input with a plurality ot round-dependent sub keys iiirther comprises the steps of: 
performing. an addition function on the common multiplication product and the balanced product to 
form a pseudo-random product. The step of combining the plain text-derived input with a plurality of 

5 round-dependent sub keys further comprises the steps of perfoiming a thorough folding operation on 
two pseudo-random products as follows: fold the upper half of the first pseudo random product into 
the lower half of the second pseudo random product to form first result, fold the lower half of the 
first pseudo random product into the upper half of the second pseudo random product to form 
second resuh. Concatenate first result to second result to form a folded product. An advantage of 

10 these or equivalent steps is that all the bits of each of the products depends heavily on both plain text- 
derived inputs and both round-dependent sub keys. The step of combimng the plain text-derived 
input with a plurality of round*dependent sub keys fiirther comprilses the steps of performing a 
blending operation on two folded products as follows: concatenate lower half of the first folded 
product A^th upper half of second folded product to form a blended product, optionally and 

15 preferably, fold operation is exclusive-or. An object is an input to a plurality of distinct s-boxes 

depends on four plain text derived inputs and foiur corresponding round-dependent sub keys. These 
advantages and objects have many alternative descriptions, any description with similar results is 
sufiicient. The descriptions provided herein are strictly exemplary. 

Reference is made to figure 8. An alternative embodiment of the machine of the present invention 

20 employs a extended P Permutation machine comprising a local scrambling operation and a 

permutation distributing bits fi-om output of a given local scrambler to input of other local scramblers. 

An extended P permutation is defined as a permutation on groups of s-boxes wherdn the orbital 
property is preserved between (and within) the groups of s-boxes. Where the orbital property is not 
possible, because the number of outputs is limited, an extended P permutation will distribute the 

25 output bits evenly, balancing value of pubUc bits against private bits to break synmietiy. Public bits 
are those repeated by the E expansion. A machine for data scrambling comprising a local scrambling 
operation and a pennuiaiion distributing bits from output ofa given local scrambler to input of other 
local scramblers, comprising: a local scrambler P which distributes four outputs among eight possible 
boxes, and a global scrambler PP which distributes a plurality of outputs among groups of possible 
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s-boxes to effect an extended P permutation. Opdonaliy and alternatively^ a known pennutation is 
used within each scrambler, fiirther comprising: wires which interconnect the output of a jpvcn 
scrambler with inputs or other scramblers. Optionally and alternatively, known pennutalion is the 
prior an P pennutation from DES. 

5 Reference is made to figure 9. A preferred embodiment of the method of the present invention for 
implementing substitution boxes in logic gates on a 32-bit microprocessor. An advantage of 
employing a 32-bit processor is that the method is applicable to Intel compatible microprocessors. 

Another preferred embodiment of the method of the present invention wherein the pluraUty of s- 
boxes are applied in bit-slice form using logic gates. An object and advantage is that a physical 

10 apparams can be easily built and speed gains achieved. 

A preferred embodiment of the machine of the present mvention wherein the encrypting is 
implemented by bit-slicing circuits. An advantage is thereby providing a design for a physical 
apparatus of lo^c gates. An object is the machine can be implemented ^th fivefold speed gains. 
Reference is made to figure 10. A preferred embodiment of the method of the present invention 

15 for operating a general purpose data processor of known type to enable the data processor to encrypt 
comprising: employing masks in which the mask used depends on information available within the 
round function selected from the group consisting of round number and data bemg encrypted, with an 
advantage that a repeated plain text -derived-input sub key pairs will still permit the round function to 
generate distinct output. An object is to correctly treat a master key with repeated segments useful 

20 to verify the fimctionaUty of the method. 

Another preferred embodiment of the method of the present invention, optionally and preferably 
fiirther coiq)rising the step of performing a combirung operation on the plurality of input blocks with 
a mask determined according to a criteria selected from the group of a number of a round being 
performed and the input block number. 

25 A preferred embodiment of the machine of the present invention for encrypting plain text-derived- 
input comprising: a memory providmg the s-boxes of DES as numbers a logic circuit which combines 
the numbers on a bit-by-bit basis witix limited carry into the stream of the plain text-derived-input. 
Exclusivc-or is a group-like operation relative to Hamming wciglits. Given one input with a given 
Hamming weight, it is always possible to find a second input such that the output Hamming weight 
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will be that desired, if one of the arguments has a balanced Hamming weight, approximately equal 
number of zeros and ones, and the other argument has an unbalanced Hamming weight, mostly zeros 
or mostly ones, the resuh will usually be more balanced than the second argument. Thus, an 
advantage is that Hamming weights plain text derived input which tend toward unbalanced hamming 
5 weights will have that tendency corrected. An object of corrected unbalanced input is to allow 
providing plain text with redundancy. 

Reference is made to figure 1 1. A preferred embodiment of the machine of the present invention 
for an operation selected from the group of hashing machine and encryptor wherein a plain text and a 
plurality of sub keys are employed as new sub key generators to generate new sub keys, whereby the 
10 new sub keys are employed to process future plain texts. 

One embodiment of the method of the present invention seeks to provide improved methods for 
DES encryplion. IL being understood thai an inleraiive block cipher could be used in place ofDES. 

it being further imderstood that any cryptographic primitive could be used to replace DES in the 
description and claims. Moreover^ whereever addition or multiplication are used in the claims, it is 
15 illustrative being that either could be replaced by at least one operation selected from the group 
consisting of a form of multiplication, blending, folding and combining. 

Reference is made to figures 20-26. There is thus provided, in accordance with a preferred 
embodiment of the present invention, a method for protecting confidentiality of information written 
on a notebook computer the method comprising: protecting a plurality of files on an automatic file- 
20 by-file basis^ wherein protection of each individual file includes the following steps: using a 

symmetric cryptosystem to encrypt the individual file, thereby to generate an encrypted individual file; 
and storing the encrypted individual file on the notebook computer. 

Also provided, in accordance with another preferred embodiment of the present invention is a 
method for protecting confidentiality of information written on a hard disk, the method comprising: 
25 using a first symmetric cryptosystem to encrypt a file having a selectably known file key; and 

encrypting the selectably known file key using a second symmetric cryptosystem and a selectably 
known master key derived fi'om a selectably known pass phrase using a cryptographically strong hash 
function. 
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Further in accordance with another preferred embodiment of the present invention is a method 
comprising the following steps: decrypting the selectably known file key using the second symmetric 
ciyptosystem and the selectably known masterkey; and decrypting the file using the selectably known 
file key and the first symmetric ciyptosystem. Further in accordance with another preferred 

5 embodiment of the present invention is a method in which the cryptographically strong hash 
function comprises a MAC (message authentication code). 

Reference is made to figures 27-36. There is thus provided, m accordance with a preferred 
embodiment of the present invention, a DES encryption method including performing N DES 
rounds, including, for at least one 1<=n<==N, performing an n'th DES round on a sub key and a plain 

10 text derived input to the n'th round wherein addition is substituted for exclusive-or in perfonmng the 
n'th DES round, wherein a sub key is defined for each of the N rounds and wherein at least some of 
the N sub keys are dependent. 

Furtlicr, ui accordance with a preferred embodiment of the present invention, all of the N sub 
keys are derived fi^om a standard key schedule. Still fiirthcr in accordance with a preferred 

1 5 embodiment of the present invention the plain text derived input to the n'th round (n>l ) comprises an 
output of a round previous to the n'th round. Additionally, in accordance with a preferred 
embodiment of the present invention, the plain text derived input to the first round comprises at least 
a portion of the plain text. 

Also provided, in accordance with another preferred embodiment of the present invention, is a 

20 DES encryption method including performing N>16 rounds, including for at least one 1 <= n <= N, 
performing an n'th DES round on a sub key and a plain text derived input to the n'th round wherein 
addition is substimted for exclusive-or in pertbrming the n'^th DHS round. 

Also provided, in accordance with another preferred embodiment of the present invention, is a 
DES encryption system including an addition-based DES encryptor operative to perform N DES 

25 roimds including, for at least one l<=n<=N, performing an n'th DES roimd on a sub key and a plain 
text derived input to the n'th round wherein addition rather than exclusive-or is used to perform the 
n'lh DES round, wherein a sub key is defined for each of the N rounds and wherein al least some of 
the N sub keys are dependent. Funher in accordance whh a preferred embodiment of the present 
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invention, the step of peifonning N DES rounds comprises performing a bit-slice implementation of 
DES. 

. Also provided, in accordance with another preferred embodiment of the present invention, is a 
DES enciypiion method comprising: performing N DES rounds, including, for at least one l<= n <= 

5 N, performing an n'th DES round on a sub key and a plain-text derived input to the n'th round, 

wherein the step of performing N DES rounds comprises using a personal computer to perform a bit- 
slice implementation of DliS, l iirthcr in accordance with a preferred embodiment of the present 
invention, the personal computer has at least one register which is 32-bits long. 

Also provided, in accordance with another preferred embodiment of the present invention is a 

10 DES encryption method comprising: performing N DES rounds, including, for at least one 1 <= n <= 
performing an n*th DES round on a sub key and a plain text derived input to the n'th round, 
wherein the step of performing N DES rounds comprises using a computer having registers whose 
size is less than 64 bits to perform bit-slice implementation of DES. 

Also provided, in accordance with another preferred embodiment of the present invention is a 

15 DES encryption method comprising: computing a sub key for each of N DES rounds, at least some 
of the N sub keys being dependent, by combining a plurality of key to sub key operations into a ^gle 
key to sub key operation on a DES key, thereby to provide a sub key; and performing N DES rounds. 
Further in accordance with a preferred embodiment of the present invention, for at least one 
l<=n<=N, the step of combiiung a plurality of key-io-sub key operations thereby to obtain an (n+l)th 

20 sub key, is performed before the (n+l)th round is performed. Further in accordance with a preferred 
embodiment of the present invention, for at least one l<=n<=N, the step of combining a plurality of 
kcy-to-sub key operations thereby to obtain an (n i l)th sub key is performed before tlie n^tli round is 
performed. Further in accordance with a preferred embodiment of the present invention, for at least 
one l<=n<=N, the step of combining a plurality of k^-to-sub key operations thereby to obtain an 

25 (n+l)th sub k^ is performed before the n'th sub key is used. Further in accordance with a preferred 
embodiment of the present invention, for at least one l<=n<=N, the step of combining a plurality of 
key-io-?iub key operations Lherel^y lo obtain an (n+i )lh sub key is perfonned before awipleiing the 
use of the n'th sub key. 
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Also provided, in accordance with another preferred embodiment of the present invention is a 
DES encryption method comprising: using first and second permutations and a mapping to perform 
each of NDES rounds, wherein the first permutation includes a left half of L* and a right halfR* 
and wherein L* comprises a composition of an inverse P permutation and a left half, L, of an initial 

5 permutation, and wherein R*, comprises a composition of the inverse P permutation and a right half^ 
R, of the initial permutation, wherein the second permutation includes a left half of L** and a right 
half R** and wherein L** comprises a composition of the P permutation and a left half of the final 
pennutation., and R** comprises a composition of the P permutation and a right half of the final 
permutation, and, wherein the mapping comprises a composition of the P permutation with an E 

10 expan^on. 

Also provided, in accordance with another preferred embodiment of the present invention is a 
DES encryption method comprising: performing N DES rounds* including, for at least one l<=n<=N, 
perfonning an n'th DES round on a sub key and a plain text derived input to the n*th round wherein 
addition is substituted for cxclusive-or in performing the n'thDES round, wherein the step of 

1 5 performing N DES rounds comprises performing a bit-slice implementation of DES. 

Also provided, in accordance with another preferred embodiment of the present invention is a 
DES encryption method comprising: perfonning N DES rounds, including, for at least one 
T <=j^<=lsi generating an n'th k-bit s-box input by performing an n'th DES round on a k-bit sub key 
and a k-bit plain text derived input to the n'th round wherein multiplication in which any carry 

20 beyond k bits is discarded, is substituted for exclusive-or in performing the n*th DES round. Further 
in accordance v^th a preferred embodiment of the present invention, all of the N sub keys are derived 
fi-om a standard key schedule, further in accordance with a preferred embodiment of the present 
invention, the plain-text derived input to the n'th round (n>l) comprises an output of a round 
previous to the n'th round. Further in accordance with a preferred embodiment of the present 

23 invention, the plam text derived input to the first round comprises at least a portion of ±e plain text. 
Further m accordance with a preferred embodiment of the present invention, N>16. 

Also provided, in accordance with another prefeired embodiment ofihe present invention is a 
DES encryption system comprising: a DES cncryptor operative to perform M>16 DES rounds, 
mclud'mg, for at least one 1 <= n <=N, performing an n'th DES round on a sub key and a plain text 
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derived input to the n'th round wherein addition is substituted for exclusive-or in performing the n'th 
DF.S round. Further in accordcsnce with a preferred embodiment of the present invention, the step of 
perfonning an n'Lh DES round comprises perfonning a bsl-slice DES round. 

Also provided, in accordance with another preferred embodiment of the present invention is a 

5 DES encryption method comprising: performing N DES roimds« including* for at least one l<=n 
<=N, performing an n'th DES round on a sub key and a plain text derived input to the n'th round 
wherein addition is substituted for exciusive-or in performing the n'th DHS round, wherein the step 
of performing N DES rounds comprises performing a bit-slice implementation of DFS. Further in 
accordance with a preferred embodiment of the present invention, wherein a sub key is defined for 

10 each of the N rounds and wherein at least some of the N sub keys are dependent. 

Also provided, in accordance with another preferred embodiment of the present invention is a 
WDES encryption method comprising; performing a plurality of rounds of WOES encryption each 
round usuig a round Hmction F; wherein, for the round iiinctlon F of a I least one round, addition, 
vnih final cany neglected is substituted for exclusive or. 

1 5 Also provided, in accordance with another preferred embodiment of the present invention is a 
WDES encryption method comprising: perfonning a plurality of rounds of WDES encryption each 
round using a round fimction F; wherein, for the round fiinction F of at least one round, a form of 
multiplication is substituted for exclusive-or. 

Also provided, in accordance with another prefened embodiment of the present invention is a 

20 DES encryption method comprising: performing N DES rounds, including for at least one l<=n <=N, 
generating an n'th k-bit s-box input by perfonning an n'th DES round on a k-bit sub key and a k-bit 
plain text derived input to the n'th round wherein multiplication, performed over a ting, is substituted 
for exclusive-or in performing the n*th DES round. Further in accordance with a preferred 
embodiment of the present invention, herein the muhipHcation over a ring comprises multiplication 

25 over a finite field. Further in accordance with a prefened embodiment of the present invention, 
wherein the ring has a modulus and the modulus is a product of less than S primes. Further in 
accordance wiih a preferred embodiment of the present invention, wherein the ring ha.<i a modulus and 
the modulus is a product of less than 4 primes. Further in accordance with a prefened embodiment 
of the present invention, the ring has a modulus and the modulus is a product of 2 primes. Further in 
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accordance with a preferred embodiment of the present invention, the ring has a modulus and the 
modulus is prime. Further in accordance with a preferred embodiment of the present invention, the 
ring has a modulus and the modulus aMnprises a product ofa plurality of primesi al least one of which 
slightly exceeds an exponent of 256. Further in accordance with a preferred embodiment of the 

5 present invention, the ring has a modulus and the modulus comprises a product ofa plurality of 
primes at least one of which slightly exceeds an exponent of 65536 such as 65536 or 2^^ or 2"** or 
2^'\ Further in accordance with a preferred embodiment of the present invention, the ring has a 
modulus and the modulus cc^mprises a product of a plurality of primes at least one of which slightly 
less than an exponent of 256. Further in accordance with a preferred embodiment of the present 

10 mvention, wherein the ring has a modulus and the modulus comprises a product of a plurality of 
primes at least one of which slightly less than an exponent of 65536 such as 65536 or or 2**^ or 
2^. 

Also provided, in accordance with another prrferred embodiment of the present invention is a 
WDES encryption method comprising: performing a plurality of rounds of WDES encryption, each 
15 using a round function F; wherein, for the round function F of at least one round, multiplication over 
a ring is substituted for exclusive or. Further in accordance with a preferred embodiment of the 
present invention, the step of performing an n'th DES round comprises performing a bit-sUcc DES 
round. 

Also provided, in accordance with another preferred embodiment of the present invention is a 
20 DES encryption system comprising: a DES encryptor for performing N>16 DES rounds, including, 
for at least one 1<= n<«N, an addition-based DES engine operative to perform an n'th DES round 
on a sub key and a plain text derived input to tiic n'th round wherein addition ratiicr thaii exclusive or 
is sued to perform the n'th DES round. 

Also provided, in accordance with another preferred embodiment of the present invention is a 
25 DES encryption system comprising: a DES enciyptor tor performing N DES roimds, including, for at 
least one l<=n<=N, a DES engine operative to perfonn an n'th DES round on a sub key and a plain 
lexl derived input to the n'lh round; and a computer having registers whose size is less than 64 hits, 
wherein the DES encryptor is configured to perform the N DES round including performing a bh- 
sUce implementation of DES while running on the computer. 
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Also provided, in accordance with another preferred embodiment of the present invention is a 
DES encryption system comprising: a sub key compuution engine operative to compute a sub key 
for each of N DES rounds, at least some of the N sub keys being dependent, the sub key computation 
engine including a single key-to-sub key operator perfonning a combination of a plurality of key-to- 
5 sub key operations as a single key-to-sub key operation and performing the single key-to-sub key 
operation on a DES key, thereby to provide a sub key; and a DES engine operative to perform N 
DliS rounds using the N sub keys. 

Also provided, in accordance v^irith another preferred embodiment of the present invention is a 
DES encryption system comprising: a DES encryptor using first and second permutations and a 

10 mapping to perform each of N DES rounds, the DES encryptor comprising: a tirst permutation 

provider pro>dding the first permutation which includes a left half L'^ and a right half and wherein 
L* comprises a composition of an inverse P permutation and a left half L of an initial permutation, 
and wherein R* comprises a composition of an inverse P permutation and a right lialf R of an initial 
permutation, a second permutation provider providmg the first permutarion which includes a left half 

15 L** and a.right half R** wherein L** comprises a composition of the P permutation and a left half L 
of a final permutadon, and wherein R** comprises a composition of the P permutation and a right 
half R of a final permutation, and a mapping provider providing the mapping which comprises a 
composition of the P permutation and the E expansion. 

Also provided, in accordance with another preferred embodiment of the present invention is a 

20 DES encryption system comprising: a DES encryptor operative to perform N DES rounds, including 
an addition-based DES engine performing, for at least one l<=n<'=N, an n'th DES round on a sub 
key and a plain-text derived input to the n'th round wherein addition rather than exclusive or is used 
in perfonning the n'th DES round, wherein the N DES rounds are performed by performing a bit- 
slice implementation of DES. 

25 Also provided, in accordance with another preferred embodiment of the present invention is a 
DES encryption system comprising: a DES encryptor operative to perform N DES rounds, including 
an s-box input provider operalive to provide for al leasi one l<-n<— N an n'th k-bii s-box inpul by 
performing an n'th DES round on an k-bit sub key and a k-bit plain text derived input to the n'th 
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round wherein multiplication with any carry beyond k bits is discarded, is used, rather than using 

exclusive or in performing the n*th DES round. 

Also provided, in accordance with another preferred embodiment of the present invention is a 

DHS encryption system comprising: a DES enciyptor operative to perform N DES rounds, indudmg 
5 an addition-based DES engine operative, for at least one l<=n<=K to perform an n'th DES roimd 

on a sub key and a plain text-derived-input to the n'th round wherein addition rather than exclusive 

or is used in pcrforininij a bit-slice implementation of DES. 

Also provided, in accordance with another preferred embodiment of the present invention is a 

WDES encryption system comprising: a WDES encryptor operative to perform a plurality of rounds 
10 of VVDES encryption, each round using a round fiinction F, the WDES encryptor including an 

addition-based WDES engine operative for the round function F the WDES encryptor of at least one 

round to pei lonn addition with final carry neglected rather than performing exclusive or. 

Also provided., in accordance with another preferred embodiment of the present invention is a 

WDES encryption system comprising: a WDES encryptor operative to perform a plurality of rounds 
15 of WDES encryption, each round using a round function F, the WDES encryptor including a 

conunon multiplication-based WDES engme operative for the round fimction F of at least one round 

to perform common multipUcation with final carry neglected rather than performing exclusivc-or. 
Also provided, in accordance with another preferred embodiment of the present invention is a 

DES encryption system comprising: a DES encryptor operative to perform N DES rounds, the DES 
20 encryptor including, for at least one l<=n<=N, an s-box input provider operative to provide an n'th 

k-bit s-box input by performing an n'th DES round on a k-bit sub key and a k-bit plain text derived 

input to the n'tli round wherein the n'th DES round includes performing multipUcation over a ring 

rather than performing exclusive-or. 

Tt is appreciated that the number of bits used to store any of the various quantities shown and 
25 described herein need not necessarily be exactly as described herein, l^ically, the multiplicative ratio 

between the various number of bits used to store various quantities within a particular method, 

remains constant even if the quantities themselves are varied. 

DESCRIFTIOJN OF AN EMBODIMENT OF INVENTION: MUETIDES 
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A personal computer refers to a wide variety of computers whose architecture is similar to the 
IBM PC architecture. The term ''persona! computer*' is not intended to include minicomputers such 
as a DEC-Alpha. 

The term "bit-slice DES" refers to the encryption methods shown and suggested in Bihani, "A 
5 fast new DBS implementation in software," Proceedings of Fast Software Encryption Workshop, 
Springer- Verlag, January 1997, and to known equivalents of the methods shown and suggested by E. 
13iliam. 

BASIC KEY INSERTION OPERATION 

Figure'14, explained in more detail later, is an exemplary illustration of a preferred embodiment 
10 which explains how to make and use an internal round flinction portion of the method of the present 
invention. Expansion, s-boxes and P«permutation are as appearing in prior art DES. One object of the 
method of the present invention is to overcome weaknesses in prior art DES which caused it to 
succumb to differential ciyptanalysis. 

Since the introduction of the prior ait Data Encryption Standard, there has been interest in its 
15 strength and design criteria. With the discovery of prior art differential cryptanalysis the optimality of 
certain aspects of the design became apparent. Central weaknesses of the prior an include bit-wise 
independent operations and use of involution for key insertion. In proposing any cipher, the burden 
lies with the authors to shov^ that it withstands these nov^ classical attacks well 

Upon a close reading of the results of Biham-Shamir [BiSh93] and extensive analysis, it became 
20 dear that the bit-wise involution for combining the subkey inside the F fiinction was not a feature that 
strengthened the cipher, 

- The uivcntor discovered that these two alternative attributes (a) bit-wise and (b) involution were 
responsible for the success and simplicity of ditterential cryptanalysis. (Furocrypt '98: Properties of 
DES that facilitate Differential Ciyptanalysis, Stiebel, J,) 
25 - The prior art is vulnerable because of use of bit-wise involution. The bit-wise aspect allowed for 
coramutativity between the permuutions and the key-insertion operation. Likewise, differential 
cryptanalysis is able to effectively **ignore'' the E expansion and P permutation. 

Differential cryptanalysis deals with the question of how to overcome the S substimcion boxes 
using input exclusive-or, probability and output cxclusive-or. 
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The use of the involution enables canceling the effect of the round-key. 

Preferably, replacement of a bit-wise operation such as cxclusive-or with a group operation such 
as a fonn of mulliplicalion, optionally over a ring or field, enhances the cryplogi aphtc strength of the 
cipher. 

5 The existing F function used in the round is documented in the prior art DES patent. The 

operations used in the prior art F function are E expansion, key insertion with exclusive-or, s-box 
calculation, followed by P permutation. (Sec Tables 11, 111, and IV below.) 
KEY INSERTIOJS OPERATION 

Reference is made to figures 1, and 2. Figure 2 is an exemplary illustration of a preferred 
10 embodiment which explains how to make and use the key insertion portion of the method of the 

present invention. Preferably^, a form of multiplication chosen will be the conmion product of the two 
arguments plus exclusive or of the arguments. Optionally, modulo multiplication employs over a 
Fermat field. Preferably and optionally, an embodiment of the method of the present invention defines 
the form of multiplication to be common multiplication with upper and lower halves folded together. 
15 Preferably and optionally, an embodiment of the method of the present invention defines the form of 
multiplication to be common multiplication with an upper folded into a lower half of a compamon 
execution of the method. Prcferidjly and optionally, the method of the current invention is employed 
in a bit-slice implementation of the s-boxes. 

Exclusive-or is a bit-wise involution. Exclusive-or is a simpler operation which can model 
20 addition. Not only is exclusive-or commutative (imlike subtraction), but it is also self-canceling. 

Although exclusive-or causes every bit of the output to depend on bits of each argument to the 
cxclusivc-or, the effect is ratrcmcly localized. It depends on cxactiy ONE bit of each of the 
arguments. 

This characteristic of bit-wise operation allows exclusive-or, as well as by extension the input 
25 exdusive-or used for diflFerential ciyptanalysis to commute with the P Pennutation and E Expansion 
found in DES. 

Thus, P PennulaLiOTi is typically combined with the E Expansion of the following round- 
Optionally, the P Permutation is combined with the s-boxes. More interestingly, the E Expanion 
is combined with the s-boxes of the current round (not the previous round). 
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In the method of the present invention, the optimizations of combining the £ Expansion with the 
previous or current round are no longer equivalent. Hence, in the preferred embodiment of the 
method of the present invention MultiDES, perform the E Expansion after the multiplication and 
folding. In an alternative embodiment of the method of the present invention as exempUfied by 
5 MuhiDES based systems with bit-slice implementation, perform the E Expansion prior to the 
multiplication and folding. 

For example, an operation that approximates a group is preferred. This property means given an 
output, for any given input specified for argument A, there exists an argument B such that A <group- 
operation> B is the output. 
10 Alternatively, the operation should not be an involution (self-canceling). The weakness of such a 
property is well known. This holds even if the involution is exclusive-or with a completely unknown 
: random string. 

CRYPTOBOX, PHIRALm'^-SIZE RESULT 

Reference is made to figures 1 and 3. A cryptographic primative refers to a wide variety of 
i 1 5 operations whose goals or methods are similar to hashing, encrypting, decrypting, digital signatures, 

i , key generation, substitution, permutation or identification, hereinafter referred to as an encryption 

i method. A cryptographic processor is a machine which performs a cryptographic primative, 

hereinafter referred to as a "cryptobox." Although, for clarity, the method of the present invention is 
described alternately as a hash, as an encryption fiinction, and as a key generation mechanism, it is 
20 understood by one skilled in the art that such choice of description in the case of the present 

invention is strictly illustrative and in no means meant to be limiting to one form of cryptographic 
primative or anotlicr. 

A plurality of inputs designates at least one input. A pluraUty size resuh is a resuh of size 
equavalent to concatenation of the plurality of inputs. A single size portion is size of a single input, 
25 For example, let the plurality be two. Thus, a double-size input yields a double-size result. One 
half of the resuh is a single-size portion. Alternatively, let the plurality be three. Thus, a triple-size 
input yields; a triple-size result. One third of the result is a single-size portion. Let the plurality, 
hereinafter, be any natural number. 
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A companion execution refers either to a parallel execution of an embodiment of the invention or 
to its own execution. Tn cases wherein there is onfy one execution it refers to that execution. 
STRKNGTHFWNG KKYS and PLAIN TKXTS: MASKS 

Reference is made lo figures 1 and 10. Tn the preferred embodimeni of the method of the present 
5 invention, to prevent identical plain text inputs together with identical subkeys from >aelding identical 
round-end cipher text, introduce an exciusive-or mask with a constant value which is evenly balanced 
zeros and ones. The exclusive-or mask is typically depending on up to two elements selected from the 
set of the round number and block number. The round number is the cardinal number of the round. 
The block number is the cardinal number of the basic half block unit size such as 32 bits. Typically, 
1(1 this is done prior to the key insertion operation. Alternatively, the exclusive-or mask is employed 
adjacent to s-box application. 

In the preferred embodiment of the method of the present invention, keys or plain texts whose 
Hamming weight tends towards maximum or minimum possible for given key or block size may have 
incomplete mixuig properties wiicti usuiig a common or modular nuiltiplication operation. Preferably, 
15 to ensure more thorough mixing and a plain text or key independent preservation of entropy entering 
the round, the traditional exclusive-or of the subkey and the plain text derived input is added to the 
product of the subkey and the plain text derived input. 

Reference is made to figure 1 . The method of the present invention whose diflerent embodiments 
are MuIUDKS hased sys tems and MulUDFS hosed systems with hit-slice implemenlation share steps: 
20 0, Optionally, number the 32-bit input blocks 0.,n; split each block into upper and lower halves. 
(This step is strictly for notation.) This is box 1 10 in figure 1 . 

Preferably, output of the optional step (continue to call it "plain text derived input"), or of the 
plain text derived input directly, is combined with round-number dq)endent subkeys. Preferably, each 
piece of the plain text derived input is used exactly once. 
25 1, Optionally, cxclusivc-or plain text derived input with round and input block number dependent 
mask. In the preferred embodiment of the method of the current mvcntion, derive the mask from the 
s-boxes as shown in (figure 10, described below). This step is optional. This is box 120 in figure 1 . 

2. Preferably, employ a fomi of multiplication to combine plain text derived input (output fi"om 
step 0 or 1) with round dependent subkeys. The form of multiplication used in the preferred 
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embodiment includes common multiplication of the two arguments plus exclusive-or of the two 
arguments. This is box 130 in figure 1 . 

3. Preferably, told the result of two multiplications together. The form of folding used in the 
prefen'ed enibodimenl is exclusive-or upper halfofone muhipUcation with the lower halfoflhe other. 

5 Concatenate the results to form a full-size number. This is box 140 in figure 1. 

4. Preferably, blend the result of the previous folding to effect folding of four distinct 
multiplications together. The form of blending used in the preferred embodiment is the concatenation 
of the lower half of the first argument with the upper half of the second argument. This is box 1 50 in 
figure 1. 

10 Preferably, after blendmg two products, for example, hlcnd{a,bX then blend the same two 
products again, for example, blend(A.fl). 

5. The preferred embodiment of the present invention employs the E expansion mapping just 
immediately before the s-boxes. A preferable bit-slice embodiment of the present invention employs 
the £ expansion mapping just inmiediately prior to the multiplication step. This is step 160 in figure 

15 1 . In ihe preferred enibodimenl of the present invention, combine the P peitnutaiion with either the E 
expansion or the s-boxes. This is step 170 in figure 1 . 

6. Preferably, the s-boxes are then performed cither nonnally or in bit-sUce form using logic gates 

7. Preferably, apply the P-based permutation. This is step 170 in figure 1. 

Although the cipher preserves the Feistel structure, the principles herein apply also to non-Feistel 
20 ciphers. For example, an exemplary embodiment of the method of the present invention in which the 
round function influences and receives influence from at least half of the bits of the block size. These 
ideas are relevant, for example, to IDEA and to JADE. 

Figure 3 is an exemplary illustration of a preferred embodiment which explains how to make and 
use the operation on two inputs yielding a double-sized result portion of the method of the current 
25 invention. Preferably, half of the double-sized result is folded into a companion execution of the 
method. 

Optionally, an operation is employed on ri inputs yielding a n sized result folding n-J pieces of the 
result into a companion execution. Optionally, each input in the folding is determined to come firom a 
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different relative position with the n-sized resuU. Optionally, an operation is employed at least once 
on two inputs to yield a double sized resuk in order to mix two distinct arguments. 
Key Schedule 

Reference is made to figures 4-6. In this section, the two embodiments of the method of the 
present invention are detailed as regards the key schedule. The first key schedule embodiment differs 
fi-om the prior art key schedule by constructing the round subkeys with all of the bits of the master 
key. The preferred key schedule embodiment of the present invention uses the block cipher itself to 
generate the subkeys such that each bit of any subkey depends on every bit of the master key. 

SET.ECTED KEY TABT.E 

After a carefiil examination of the currently available implementations of the prior art DBS key 
schedule, disturbing properties were noted. Reference is made specifically to figure 6. 

The entire prior art schedule amounts to selection of two groups of 28 bits from the master key of 
56 bits plus 8 parity bits. Two permutations are applied. Jiaeh subkey bit is exactly one bit of the 
master key. Each half of every subkey is derived from a distinct half of the master key. Only 56 bits of 
the available 64 bits are used. The key size is different than the block size, resulting in cryptographic 
modes which have dangerous short cycle properties. Because the key schedule permutes individual 
bits, it is particularly slow in software. 

As a first approach, the parity bhs are eliminated. Thus, all 64 bits are available for selection in the 
48-bit round subkeys. 1 bus, rotations in the key schedule operate on a full 32 bits each rather than 28 
bits a piece m the prior art. 

Next, the two permutations '^Permuted Choice 1" (hereinafter PCI ) and ^Termuted Choice 2" 
(hereinafter PC2) may be composed using standard combinatorial methods wherein application of the 
composition is equivalent to the application of PCI followed by PC2. (See figure 10, table T; figure 6, 
box 610) 

Then, note that the resultant composition of PCI and PC2 selects from only the first 56 bits of the 
master key (discounting rotations in the key schedule). Including rotations, the lower 32 bits have a 
higher probability lo be included in the round subkeys. 
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Thus, add four to each entry ia the resultant table wherein the entry in prior art would refer to bits 
29-56. This makes the number of bits selected in each half of the subkeys from the master ke>' equal 
in number for the two halves. (See figure 6, box 620.) 

The order of the rows are preferably rearranged in the resultant table. The purpose of the 
5 rearrangement is to cause every second row to refer to bits above the half-way mark while the other 
half of the rows refer to bits below the halfway mark. 

Such a tabic can be referred to as the "key selection permutation table (sec fi^^urc 10, table 1). 
Such a key schedule can be referred to as "improved." (See figure 6.) 

A typical key schedule for DES, MultiDES based systems, according to one embodiment of the 
10 method of the present invention, would use the selected key table to generate subkey bits from the 
master key. The improved key schedule thereby employs a full 64 bits, uses only a single permutation, 
cancels separation wherein upper halves of master key corresponded to upper half of subkey bits. 

Preferably, the method further includes the step of feedirig the fiill 64 key bits per block into a 
rearrax^ed PC2 from prior art DES, whereby all key bits provided by user are employed. Optionally, 
15 entri^ of PC2 with values above 28 have a value tour added to them. These steps ensure that the key 
schedule will be balanced at the left and right halves. Optionally, the key schedule rotation is carried 
out a block at a time rather than in two half block groupings. Optionally, subkey is made dependent 
on the serial number of parallel execution. Thus, even if master key contains exact repeating 
sequences, subkeys will not necessarily repeat. Optionally, subkey employed is derived by finding a 
20 multiplicative inverse over a field. Optionally, zero subkey is replaced by a round dependent mask 
value. 

BOOTSTRAP KEY SCHEDULE 

The entire schedule amounts to selection of two groups of 28 bits from the master key of 56 bits 
plus 8 parity bits. Two permutations are applied. Each subkey bit is exactly one bit of the master key. 
25 Each half of every subkey is derived from a distinct half of the master key. Only 56 bits of the 

available 64 bits are used. Key size is different than the block size, resulting in cryptographic modes 
which have dangerous Sihon cycle properties. Becau!;e key schedule pennuies individual hit.s, it is 
particularly slow in software. 
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Reference is made specifically to figure S. Preferably, a large key size is implemented using a large 
block size. Optionally, a larger key size is accommodated by employing ciphcr-block-chaining while 
generating the keys. Oplionally, a larger key size is accommodaied by employing an embodimenl of 
the invention of that block size to generate subkeys. Optionally, the delay between generating 
5 subkeys can be made arbitrarily long with the object and advantage to increase necessary time for 
exhaustive key search for a given key size. Optionally, an optimal sorting circuit design is used to 
determine how to perform the pairings for the foldings within the round. Large key size or large 
block size is understood to be at least 128 bits long. 

Reference is made specifically to figure 4. After examination of the improved key schedule, the 
10 first key schedule embodiment of the present invention has the following properties: the rotation 
amount between rounds is unchanged; in this embodiment* the method is restricted to work on units 
of 64 bits at a lime; and the schedule yields exactly 48 bits for each subkey and most importantly is 
still a permutation on master key bits. 

A desired propeny of any key schedule would be to cause a change in a single bit in master key to 
1 5 cause about half the bits of the resuh subkeys produced to be flipped. Additionally, each subkey bit 
should be computationally independent from any given bit in master key. 

To accomplish this second approach, assume a strong block cipher with following properties. 
After four rounds of encryption, every bit of the output depends on each bit of input. Preferably, the 
block rize is at least desired master key size. Assume that encryption under any given key yields 
20 cipher text which is computationally indistinguishable firom a random permutation. 

Thus, recommended key schedule is composed as follows. (Reference is made to figure 4.) 

1 . Set encryption algorithm to use a set of subkeys which arc master key independent. Tliis is step 
410 in figure 4. The preferred embodiment of the key-schedule method of the present invention 
employs, optionally and preferably, the subkeys independent of the master key and the subkeys 

25 derived from values in the s-boxes. Usage of such strings firom the s-boxes provides easily available 
set of numbers that are known to be a permutation. Moreover, the explanation of the choice imparts a 
higher level of confidence in the method ofthe cunenl invention to iho%e ofordinarj- skill in the art. 

2. Encrypt desired master key at least number of rounds to achieve dependence of every bit of 
cipher text on each bit of master key. Typically, this is four rounds. This is step 420 in figure 4. 
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3. Encrypt fiinher an integral number of rounds, Qrpically I, 4, 8 or 16. Use output of s-boxes as 
desired subkcys. Repeat previous step until sufTicient subkey material is pseudo-randomly generated 
for all the rounds, typically 16 rounds are employed. Although, substantially any number could be 
used. Major benefits of Feistel structure completeness are realized already with these values. This is 
5 step 430-440 in figure 4. Sample and store the key material after each employment of an integral 
number of rounds as step 430 in figure 4. Without executing the cipher again, it would be difficult for 
a key-search attack to determine whether the guessed key was correct. Thus, the method of the 
present invention provides additional security against exhaustive search attacks which the prior art 
DES is-vulnerable, 

10 4. Optionally and preferably, repeat step 2 using subkeys generated in step 3. This is step 450 in 

figure 4. Optionally, at least once set the encryption keys to be the subkeys generated and encrypt 

the cipher text generated, to yield a new set of encryption keys. 

An object and advantage of the method of the present invention is use of avalanche effect 

whereby after four rounds, preferably and optionally, any specific input bit will afifea any specific 
15 output bit. The bootstrap key schedule provides the feature of the method of the present invention 

that encryption is rapid unlike the prior art DES patent wherein each bit was handled individually. 
An object and advantage of the key schedule is eftective operation even using just a single key bit, 

since the output of the subkeys will be changed. Thu.<i, for applications wherein key size variability is 

important, MultiDES, one embodiment of the method of the present invention, has a distinctive 
20 advantage. Moreover, the key schedule is operative with a variable key setup time. 

The advantages of the recommended key schedule include that it generalizes to Feistel block 

ciphers of difierent internal structures and block sizes, it causes every subkey bit to be a complex 

function of master key bits, it allows for a variable length key because each bit indi^ddually has 

significance, and it is more rapid than even the improved key schedule. 
25 Figure 7 is an exemplary illustration of a preferred embodiment which explains how to make and 

use the form of multiplication portion of the method of the present invention. Preferably , a form of 

nmUiplic^Lion feature.*; the steps as follows. 

Preferably, multiply a plurality of bits fi-om plain text-derived-input and a plurality of bits fi-om a 

plurality of round-dependent subkeys to form a conmion multiplication product. 
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Optionally, perform an exclusive-or function on a plurality of bits from plain text derived input and 
a plurality of bits from plurality of round-dependent subkeys to form a balanced product. 

Preferably, perfonn a amibining function on common multiplication product and balanced product 
to for a pseudo random product. A combining fimction is typically addition, alternatively, subtraction. 
5 Optionally, fold upper half of first pseudo-random product into lower half of second pseudo 
random product to form first result. Fold lower half of first pseudo-random product into upper half 
of second pseudo-random product to form second result. 

Optionally, concatenate first result to second result to form folded product. 

Preferably, concatenate the lower half of the first folded product with the upper half of the second 
10 folded product to form a blended product. 

These steps may be repeated certain steps omitted, and the foldii\g operation modified. The 
essential constraint is thai number of bits (lowing out of a step, must equal number ofbits (lowing to 
next step. 

The method of the present invention uses a carefiiUy planned and specified foldmg methodology 
15 whereby each s-box input is influenced by at least half of input bits. Another embodiment of the 
method of the present invention is to have each s-box input be influenced, preferably and optionally, 
by all input bits, thus requiring twice as many key bits per round by repeating multiplication step. 

Figure 8 is a self-explanatory exemplary illustration of a preferred embodiment which explains 
how to make and use the permutation to span multiple blocks portion of the method of the present 
20 inventioa Preferably, a permutation to span multiple blocks features the characteristic of distributing 
output of a local scrambler to the inputs of other local scramblers as evenly as possible. 
Optionally, the local scrambler is an s-box from the DiiS prior art. 

Optionally, the internal permutation within the scrambler is the P permutation of the DES prior 
art. 

25 Significant analysis by the inventor revealed that the ideal permutation is one in which the bits are 
spread out as evenly as possible. To design the scheme, count each bit. Optionally, split the same 
number of public bits and the .same number of private bil>i in each output. Optionally, .split the same 
number of total bits in each output. Optionally, count a public bit as twice, then distribute the public 
bits to the neighbors. Optionally, apply the splittmg before application of the s-boxes. 
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The orbital property of the P permutation is defined as the observation that for each s-box, there 
exists a corresponding s-box. The outputs of a pair of such s-boxes send exactly one bit to each of 
the s-boxes for the next round, while neither box sends a bit to itself. An extended P permutation is 
defined as a permutation on groups of s-boxes wherein the orbital property is preserved between (and 
5 within) the groups of s-bpxes. Where the orbital property is not possible, because the number of 
outputs is limited, an extended P permutation will distribute the output bits evenly, balancing value of 
public bits against private bits to break symmetry. Public bits arc those repeated by the C expansion. 
Private bits are those bits used once by the F expansion. A companion execution refers to a wide 
variety of executions in which a plurality of instances of embodiments of an invention are executed 
10 in parallel. 

An arithmetic operation refers to a wde variety of ways of combining numbers. One example of 
an arithmetic operation is a fonn of multiplication as defined herein. Any method for combining 
numbers is suitable. 

Preferably, the operation of blending is designed based on the observation that each bit of round 
15 input in prior-art DES influences four or eight bits in the output of that round (depending on whether 
the bit is private or public respectively). Due to the property of the prior-art P Permutation, four bits 
output from an s-box in the round will enter four distinct s-boxes in the next round. The P 
Permutation in the prior art is constructed so that there exists another s-box whose four bits vnll enter 
distinct s-boxes in the next round which are also distinct from those of a specific s-box. Should the 
20 reader be^familiar with electron orbital and spin, certain metaphors can assist understanding. These 
properties cieariy complement the Feist el structure's property of completeness after exactly four 
rounds. This observation of the construction of the P Permutation was discovered by the inventor of 
the present invention. Should it be extended to S or 6 blocks^ the approach is preferably employed 
prior to the s-boxes. In another embodiment of the method of the present invention, the blending 
25 would take a plurality, such as four, resultant products distributing the bits so that each s-box input of 
6 bits would be influenced by maximum possible number of bits from distinct resultant products. 
EnTecl of such an operation would be a novel and unobvious extension of the P Pennutalion to a 
plurality of blocks. 
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Figure 9 is an exemplary illustration of a preferred embodiment which explains how to make and 
use a circuit-based logic-gate implementation of the machine of the present invention. Preferably, 
define variables^ combine them, one, two and three at a time. Write logical expressions using 
precomputed combinations. Alternatively, the precomputations are reduced by combinmg only those 
5 that are eventually employed. Alternatively , many other combinations of the inputs are possible so 
long as the operations performed are simple microprocessor instructions. The choice of the 
combinations to use for each s-box or other type of tabic entry is substantially determined by the 
choice of groupings of the variubles, of which figure 9 shows an exemplary demonstration. 
Alternatively, group the variables dilftrently such as one, two, three, four or even all six together, 
10 HOW TO MAKE BTT-SLTCE IMPLEMENTATION LOGIC GATES 

A preferred embodiment of the machine of the present invention employs a logic gate 
representation. This section describes how the lo^c gates are generated and used. The machine 
employs suhmachines to address the appropriate tasks. 

Although the submachines are referred to in this section by name, the actual contents can be 
1 5 readily recreated by a programmer skilled in the art. 

A machine "gates" creates the logic gates. The logic gates mimics the S-boxes. In DES, each 
output bit from an S-box can be viewed as a function of 6 input bits. Tn the output of the "gates'* 
machine, each output integer is a function of 6 input integers, A structure of **gates" machine 
including definitions of variables followed by one set per s-box of following: X,Y,A,B,C,D each set 
20 to in_sbox[#] as follows. A noution XO means a value X receives the s box input integer number 0. 
In a list herein, order is by output irrtegers. each time *X' reappears a different output integer is 
referenced. 

XO, Y 3, A4, B 2, C 1, T) 5, X 7. Y 8, A 0, Bl 1, C 6, 
XI 2, Y16, A17. B14. CI 3, D15, X20, Y21, A22, B23. CI 8, D19, 
25 X25, Y27, A28, B26, C24, D29, X30, Y3 1, A34, B33, C32, D35, 
X38, Y40, A41, B37, C36, D39, X42, Y44, A47, B43, C45, D46. 
include "LOCilCDEFC " (see figure 9) 

4 equations, each equation indicates that an output S-box bit is a complicated fijnction of the sfac 
input bits X,Y,A,B,C,D. 
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The functions work as follows: for each output S-box bit position: (from 32 plain-texts) check all 
4 possible X,Y possibilities. For each X,Y : check all 4 possible A,B possibilities. 

All variable names appearing in ihe "gales" machine are deiennined using Polish notation, in which 
one are two operands are followed by an operation. 
5 - Operators: n = not, o = or, p = and, x = exclusivc-or. Operands: X, Y, A, B, C, D 
Examples: ABon = not (A or B) 

CnDx = (not C) cxclusivc-or D 
As mentioned above the "gates" machine builds a machine which is able to employ bit-slice 
techniques. As input to the *'gates" machine are S-boxes. Each S-box has 4 rows, and each row has 
10 16 values each value has a range of 0 - 15. (4 bits), 
processing: For each S-box: 

For each XY: (S-box row, each row contains 16 values) 
For each of 4 output sbox bits: 
For each AB 

15 The object is to determine which of the 16 possible CD values as defined in the CD[16] array 
applies for each XY, AB combinations. 
As an example: S-Box 1 

XY-0, .AB-0 Top row, I. si 4 entries which are: 
14,4, 13, I which in bits are: II 10 0100 llOlOOOl 
20 - represents: -'C;-D ^C;D C:^D C:D 

:The first output bit of each entry determines out-sbox 0 
" second « I 

"third " "2 
" fourth " " " " " " 3 
25 Out-Sbox 0: 1 0 1 0 = 10 CD[10] = "Dn" 

1: 1 1 1 0 = 14 CD[14] = "CDpn" 
2: 1 0 0 0 = SCDrSl = "CDon" 
3: 00 1 1 = 3 CD[3] = X'^ " " 
These are indeed the CD values for XYon & (ABon & ..) for the 
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out sboxes 0, 1,2, and 3 respectively. 
OutSbox[0] - 

XYon & (ABon & Dn | 
Meaning: The output to the 1st S-box bit position depends on: 
5 If neither X nor Y (XYon) and also neither A nor B (ABon) 

then the bit is on if not D — Dn 
An operation on 32-bit quantities refers to a wide variety of operations such as arittmietic 
openitions. 

Such operations are not intended to include using six bits at a time to perform a table lookup. 

10 A step of calculation of combinations of variables for multiple usage refers to a wide variety of 
forms of calculation and ways of combinations. Any single or partial step in figure 9 would be 
suitable, although not limiting. 

Figure 10 is an exemplaiy illustration of an alternative embodiment which explains how to make 
and use masks derived fi-ora DES s-box entries method of the present invention. Table I, a Key 

15 Selection Permutation Table, designates which master key bits will be selected for each round 

subkey. In order to use the table, master key must be circulariy rotated by designated amount of the 
round -shift as noted in the prior art. 

Preferably and optionally, a mask will comprise a well balanced number which is, optionally and 
preferably, a partial permutation and, optionally and preferably, derived from the rows of the s-boxes 

20 in DES. Preferably, the mask can be combmed wth the plain text-derived-round input. Such a step 
combined with typical row-dependence of the mask to yield a strong mixing function even when 
initial plain text derived input may not be balanced zeros and ones. Typically, a partial permutation 
used will depend on the grouping of 32-bits within the plain text derived input. 

Pigure 1 1 is a self-explanatory exemplary illustration of a preferred embodiment which explains 

25 how to make and use the key schedule portion of the method of the present invention. The top of the 
figure illustrates mputs of master-key and predetermined mitial keys to yield master key derived 
subkeys. This figure begins to .<;el the stage for .s;ubkey-feedliack-mode. The middle section of the 
figure illustrates inputs of master-key and predetermined initial keys to yield master key derived 
subkeys. These subkeys are used to encrypt in key-generations mode a plain text, which in turn 
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generates additional subkeys as well as a cipher text. This figure continues to set the stage for 
subkey-teeclback-mode. The lower section of the figure illustrates master Vey derived subkeys. These 
subkeys are used to encrypt in key-generations mode a plain text, which in turn generates additional 
subkeys as well as a cipher text. These additional subkeys are used to encrypt in key-generation mode 
5 another pl^ text, etc. This fit^re is subkey-feedback-mode. 

When employed as a hash (unction, a preferred embodiment of the machine of the present 
invention would employ a machine wliich includes the length of the input into the original input itself 
A preferred embodiment of the machine of the present invention for employment as a hash fiinction 
would apply an integral number of rounds, typically four, of the system. Thereafter, it would 

10 generate subkeys from further rounds. These subkeys would be used to influence the next plain text 
to cipher text transition. (Refer to this mode hereinafter as ''subkey chaining mode'^ or "^subkey 
feedback mode.") This is operative in place of ciphei -block-chaining mode. An advantage and object 
of such a new mode is to avoid known simple relationships between known plain text — cipher text 
pairs. Such a known relationship was employed to cause the CBCM mode proposed by IBM to be 

15 withdrawn from consideration in the United States of America standard on accepted modes, 

A preferred embodiment of the method of the present invention is a stream cipher by employing 
Output Feedbiack Mode (using the previous cipher text as the new plain text) using fiill n-bit 
feedback. The expected cycle length is 2 An alternative embodiment of the method of the 

present invention is a stream cipher employing counting mode whiere the plain text is simply the 

20 output of a non-repeating counting mechanism. The next input block would be the previous input 
block plus one. An object and advantage of employing TMD in counter mode is that it allows for 
accessing the key at an arbitrary distance away, e.g. useful in random access file systems. 

in a preferred embodiment of the method of tlic present invention. Twin TMD is operative 
employed with two TMDi4 and if executions provided. Optionally, employ subkey chaining mode 

25 from A to fi and cipher block chaining mode firom to a iiiture block inA's sequence. 

. Folding and blending operations described elsewhere herein apply also to Twin TMD. For brevity, 
it is not repeated again. The chaining variables could be combined in a Feistel structure with the F 
function being an entire block encryjilion optionally uMng ciphej -block-chainins or subkey-chaining. 
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Figure 12 is a self-explanatory exemplaiy illustration of a preferred embodiment of the method of 
the present invention which explains how to make and use the encryption and decryption portion of 
the method of the present invention. It differs from figure I in that it recites fewer optional elements. 

F igure 13 is a self-ej^lanatory exemplaiy illustration of a preferred embodiment which explains 
5 how to make and use the key schedule portion of the method of the present invention Preferably, in 
the illustrated embodiment, the encryption algorithm is set to use a set of subkeys which are 
independent of the master key. Optionally, these subkeys are derived from adjacent DliS s-box 
entries along the s-box row. 

The figure differs from figure 4 in that it recites fewer elements and generalizes to non-Feistel 
10 methods. 

In the next figures, a plus sign in a circle is exclusive-or, an empty circle is a form of 
muUtplicaiion, and a plus sign in a box is clas.<;ical addition. 

Figure 14 is a self-explanatoiy exemplaiy illustration of a preferred embodiment which explains 
how to make and use an internal round fimction portion of the method of the present inventioa An 
15 exemplary method of folding is shown, wherein the upper half of common multiplication is folded 
with the lower half This is simple folding. This is a sample round function for Multi-D£S uring 64- 
bit block size. The context of Multi-DKS based systems relative to elements present in the prior art is 
shown. 

Figure 15 is a self-explanatory exemplaiy illustration of a preferred embodiment which explains 
20 how to make and use a Feistel structure for Multi-DES portion of the method of the present 

invention. Showing the Feistel structure approach to this embodiment is used to illustrate that the 
method of the current mvention generalizes to Feistel systems corresponding to the block size 
chosen. It is illustrated accordii^; to a standard representation obvious to one of ordinary skill in the 
art as described for example in [BiSh93]. The figure shows an example Feistel structure fi^r 
25 MultiDES. 

As mentioned, the form of multiplication can be applied in non-Feistel structures such as JADE, a 
syslem by the inventor of the present invention described ai Eurocrypl '97. Tlie folding methodology 
is applicable to non-Fcistcl stmcturcs with a non-csscntial example being JADE. The key schedule 
suggested would apply to any system using subkeys, the number of rounds designated prior to key 
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extraction >vill be the first round to reach completeness, that each output bit is influenced by each 
input bit. The examples herein which show generalization beyond the Feistel structure should not be 
cc^nstrued lo liniiL. Tlie figure shows an example MuUi-DES round ilinciton. 

See the section above on prior art DES for a detailed explanation of the Feistel structure. 
5 Figure 16 is a self-explanatory exemplary illustration of a preferred embodiment which explains 
how to make and use a particular form of multiplication portion of the method of the present 
invention. The form of multipiication illustrated herein includes the steps of multiplying two inputs to 
yield a product, performing the fiinction of exclusive-or on those two inputs to yield a sum, followed 
by adding together the product and sum. Another preferred embodiment of the method of the present 

10 invention uses common multiplication, folding an upper and lower halves together. Another preferred 
embodiment of the method of the present invention uses common multiplication folding an upper half 
of a current execution with a lower half of a companion execution. Additional forms of multiplication 
apply to the key inscnion operation. The figure shows an example multiplication operation in detail, 
which can be common to many variants of Multi-DBS. Reference is made to the section on a form of 

15 multiplication above for additional variants. 

Figure 17 is a self-explanatory exemplary illustration of a preferred embodiment which e^qslains 
how to make and use an internal round function portion of the method of the present invention. An 
exemplary method of folding is shown, wherein a folds with A, b folds with a This is pair wise 
folding. The figure shows an example round function for TMD u.sing two MuUiDES encryi^lions in 

20 tandem 

Figure 1 8 :is a self-explanatory exemplary illustration of a preferred embodiment which explains how 
to make and use an internal round function portion of the method of the present invention. An 
example folding is shown, wlicrcin a folds witli each b and b folds with each a and c, c folds with 
each h and a. This is roimd-robin folding. The figure shows an example Round Function TMD using 
25 three MultiDES encryptions in tandem 

Figure 19 is a self-explanatory exemplary illustration of a preferred embodiment which explains how 
to make and use an internal round function portion of the method of the present invention. An 
example folding is shown. The method is a folds to b folds to c, c folds to cJ^ and cl folds to a. 
Refer to the result oCd folding with a as da. and the re.sull oCh folding with c as he. Tlien, preferably 



BNSDOCtD: <WO 990841 1 A2J_> 



wo 99/0841 1 PCT/IL98/00369 



52 

blend da vnth be. An underl^g principle is to avoid reusing influence from a ^ven section of plain 
text derived input wherever there is available other distinct sections. This method is permutation 
folding. The figure shows an example round function TMD using four MulliDES encryptions in 
tandem. 

5 The preferred embodiment of the method of the present invention, TMD, can have two, three, 
four, or more MultiDES rounds run in tandem. A methodology for folding companion round 
multiplication together to achieve the TMD cipher is shown in figures 14-16. A MultiDES round has 
a block size of 64 bits and a key size of 64 bits. (Figures 14-15) TMD, using two MultiDES rounds in 
tandem has a block size of 128 bits and a key size of 128 bits (figures 16-1 7), TMD, using three 

10 MultiDES encryptions in tandem has a block size of 192 bits and a key size of 192 bits (figures 16 
and 18). TMD using four tandem rounds has a block size of 256 bits and a k^ size of 256 bits 
(figures 16 and 19). 

Reference is made to figures 20-26. Step numbers within the set of figures 20-26 arc understood 
to be local to that set of figures unless specifically specified otherwise. Figure 20 is a simplified 

15 flowchart illustration of a preferred method for protecting data on a persistent storage medium, such 
as a hard disk, of a computer, such as a notebook computer. Preferably and optionally, a casual 
browser does not know that the file system is encrypted. Preferably and optionally, only the user tiles 
of the hard disk or olher .storage device are encryjUed. Preferably, the computer conlinue.s lo decrypt 
and encrypt files automatically without user involvement whenever a disk read or write occurs. 

20 Briefly, in step 10, the intention to write to a cluster "c" of a hard disk is detected. Typically, 
encryption is determined on a file-by-file basis* but performed on a clustcr-by-cluster basis. 
Preferably, encryption happens at tlic time of disk read and writes on the cluster level. Typically, 
legitimate backup causes work to be perfectly restored whereas illegal backup files remain encrypted. 
In step 20, information is trapped which is intended to be written to this cluster, for example as 

25 entered by a user of the computer. A symmetric cryptosystem is then used to encrypt the 
information. In step 30. the mformation is stored in chister "c" on the persistent medium. 

.According to another symmetric key ciphering method provided in accordance with a preferred 
embodiment of the present invention, the following steps are preformed: generation of a key. 
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encryption of a file using the key, encryption of the key^ storage of the enciypted key on a persistant 
media^ typically a hard disk, decryption of the key, and use of the key to decrypt the file. 

Typically, the FAT is used to determine the last cluster of a file given a sector within the file. 
According to a preferred method for encryption of a storage device, typically a hard disk, the 
5 master key for decryption is never present in any form on the hard disk. 

Preferably, user-selectable time-out causes requiring reentring password to continue decoding 
files. Typically, the time out is diflFcrcnt for regular use and for idle time. 

Figure 21 is a simplified self-explanatory flowchart illustration of a preferred method for 
protecting confidentiality of information written on notebook computer, the method being 
10 constructed and operative in accordance with a preferred embodiment of the present invention 

Briefly, in step 100, a pass phrase is provided. The pass phrase typically includes at least 80 to 90 bits 
of entropy. In step 1 1 0, an MD5-MAC key is provided. The MD5-MAC key is typically generated 
unique to every installation of the method. For example, if software for performing the above MD5- 
MAC authentication method is instaUed on a population of hard disks, each hard disk is preferably 
15 provided with its own unique key. Typically, this uniqueness of the key is accomplished by 

cryptographically hashing (e.g. using an MDS hash or MultiDES-based encryption method operative 
as a hash) information available on the user's hard disk at time of installation. Optionally, the pass 
phrase is probabilistically checked for correctness. 

Typically, the information which is hashed includes the directory tree, in step 120, the pass phrase 
20 isprocessed using the MD5-MAC key. In step 130, the ciphered pass phrase is partitioned into at 
least two ponions. one of which is the key generation key. Tn step 140, a file key is generated using 
the key generation key, as shown in more detail in Figure 22. Preferably, a MDS-MAC authentication 
method is provided, as shown in figure 21, which can include performing MDS-MAC (described in 
the above-referenced Menezes document) on a pass phrase and partitioning the result into two 64-bit 
25 quantities. Examples of uses for the two 64-bit quantities are described bdow. Alternatively, use 
Multi*DES based systems employed as a hash function with 2S6-bit block size. 

Figure 22 is a simplified flowchart illuslralion ofa use ofa slightly modified MD5-MA(^ message 
authentication code method constructed and operative in accordance with a preferred embodiment of 
the present invention. Also provided, according to a preferred embodiment of the present invention is 
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an archetecture for key generation given a sector with 16 DOS directory entries and the number of a 
specific entry therein. The information is CTyptogmphically mixed to provide a file key. Tn other 
words, according to a preferred embodiment of the present invention, a key can be generated by 
cryptographically mixing a seaor having 16 DOS directory entries with the entry from among the 16 
5 entries for which the key is being generated. The cryptographic mixing is typically performed using a 
symmetric cipher with 64-bit plain text block size and 56 or 64 bit key size. Although, other key- 
block sizes are possible particularly as provided by MultiDES based systems. Preferably, bytes which 
participate in the cryptographic mixing are 8 bytes per directory entry starting at 16 Hex, 36 Hex, 56 
Hex, etc. 

10 Preferably, the first input to the cryptographic mixing is the specific directory entry and the first 
du-cctory entry with one playing the role of the key and the other plain-text. Typically, the 
subsequent input to the cryptographic mixing is the output of the i- 1 'th mixing ( l<I< 1 7) and the i'th 
direaory entry with one playing the role of the key and the other of the plaintext. Preferably, the 
resulting output of the 16th cryptographic mixing is used as a key to encrypt a file. The file key may 
15 be enciypted using one of the 64-bit quantities fi-om MD5-MAC or Muki-DES based hash. 

Preferably and optionally, the first input to the cryptographic mi?dng is the specific directory entry 
and all of the directory sector (512 bytes is 4096 bits per block) with one playing the role of the key 
and the other plaintext. Optionally. location on disk as calculated in heads, tracks, cylinders, sectors, 
and offset may be added to the key and/or plaintext before applying Multi-DES based methods to 
20 accomplish the cryptographic nuxing. Alternatively, the cryptographic mbdng is done using a fast 
parallel bit-wise vector implementation of Multi-DES based systems or DES based systems with a 
form of multiplication used in place of cxchisivc or for key insertion within tlic round fimction. 

In step 200, a sector of a DOS directory and the offect l<j<17 of a particular file entry withm the 
sector are provided. Preferably, also the location of the file within the hard disk is also provided (see 
25 step 520 of Figure 25 below). A cryptographic key is generated according to the following steps. In 
step 210, 8 bytes per direaory entry are provided, starting at 16 Hex, 36 Hex, 56 Hex, etc to obtain 
1 6 64-bit intemediate keys numbered 0<i<l 7. In step 220, these 8 bytes per directory are encrypted 
with intermediate key ; as plaintext and intermediate key ./ as the key to obtain an intermediate value 
as ciphcrtext. Preferably, the location is added to the key J substantially before keyy is employed as a 
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key. In step 230, step 220 is repeated except that the resuh of step 220 is the key for the encryption 
to obtain a new intemiediute value as ciphertext. Tn step 240, step 230 is repeated 16 times. Tn step 
260. the resuhing intennediate value for /«16 is the plaintext and the key generation key from the 
MDS-MAC or MultiDES-based encryption method operative as a hash as the key for encryption to 
5 obtain a file key as ciphertext. OptionaUy, difierentiai time between keypresses or disk latency time or 
the contents of keystrokes or contents of disk reads are used to seed a random number generator. 

I'igiirc 23 is a simplified self-explanatory flowchart illustration of a preferred method for 
generation of file keys furniinsj a part of the method of figure 22. using contents of DOS directory 
entries as plain texts and keys to generate a file key. In step 300, a symmetric cipher key is generated, 

10 for example according to Figure 22. In step 3 10, a file or directory is encrypted v^th a symmetric 
cipher, for example with MultiDES-based encryption methods, such as that shown in Figure 26. In 
step 320, the file key is encrypted as plaintext using a key protection key, typically generated 
according to Figure 21, as key with a symmetric cipher to obtain a protected file key. Alternatively, 
the file key is generated by employing iriformation available in the sector of the directory of the file, 

15 using MultiDES-based encryption methods, employing the specific file entry as the key and the 
remaining part of the sector as the plaintext. In step 330, the protected file key is stored in a 
conveniently located portion of the disk, for example in the last bytes of the last cluster allocated to 
the file. 

Figure 24 is a simplified self-explanatory flowchart illustration of preferred method for performing 
20 an encryption of a file using the method of figure 22 to generate file keys and the output of the 
method of figure 21 to protect the file key. Tn step 400, a symmetric cipher key is generated, 
typically using Figure 22, or using MultiDES-based encryption methods as mentioned above. In step 
410, a file or directory is encrypted with a symmetric cipher and the key is stored^ for example 
according to Figure 23. Tn step 420, a key protection key is provided, typically generated according 
25 to Figure 2 1 or using MultiDES-based encryption methods effective as a hash fiinction. In step 430, 
the protected file key is retrieved fi'om a conveniently located portion of the disk; substantiaUy as 
previously described. Tn step 440, the protected file key is decry|Hed as ciphertext using a key 
protection key, for example generated according to 1-igurc 21 or using MuhiDliS-bascd encryption 
methods effective as a hash fiinction, as key with a symmetric cipher to obtain a file key. In step 450, 
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the file is decrypted by using the file key as the key by using conventional methods, or alternatively 
according to Figure 26. 

Figure 25 is a simplified self-explanatory flowchart illustration of preferred method for performing 
an encryption of a file on a sector by sector basis using unique information based on the location on 

5 the particular hard disk and cipher-block-chaining withm the sector According to a preferred 
symmetric key ciphering method provided in accordance with the present invention, ciphering 
proceeds as follows: given a key, and a sector number of data to be encrypted, encryption is carried 
out typically using the location serial number as an initial vector. Thus, preferably employ subkey- 
chaining-mode together with bit-slice vector implementation to maximize block size for Multi-DES 

10 based method. According to another file encryption method provided in accordance with a preferred 
embodiment of the present invention, a symmetric cipher key is generated, a file is encrypted and a 
protected file key is stored. The protected file key is typically stored in a conveniently locatable place 
on the disk, typically in the last bytes of the last duster allocated to the file. 

A preferred method for protecting hard disks uses an available attribute bit fi-om the attribute byte. 

15 typically bit 6, to indicate whether or not to encrypt. Preferably, there is a defeult as whether or not 
to encrypt, the default being, for example, to encrypt. Preferably, each file handle, upon opening the 
file, is associated with a bit which indicates whether or not to encrypt the contents of the file. 
Typically, the association is a simple index into a 256-byte table. 

in step 500, a key is provided, for example according to Figure 22 or using MultiDES-based 
20 encryption methods cflFective as a hash function, as key with a symmetric cipher to obtain a file key. 
In step 5 10, a sector number of the data to be encrypted is provided, Tn step 520. a location serial 
number is obtained by deriving sector number information which is unique to the presently uistallcd 
hard disk and current location, such as hard drive nimiber, cylinder number, sector number, and 
number of the read/write heads. Tn step 530, a sector is partioned according to the symmetric cipher 
25 block Mze into plaintext blocks, for example according to MultiDES-based methods. In step 540, the 
sector is encrypted vAth cipher-block-chaimng or sub-key-block-cha'ming mode of the methods of the 
present invention (for example as shown in figure 1 1 ), by using conventional methods according to 
the location serial number as the initial vector. 
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Figure 26 is a simplified self-explanatory flowchart illustration of preferred method for performing 
the method of figure 25 wherein the encryption is fast parallel bit-wise vector implementation of DKS 
with a form of multiplication substituted for exclusive or when combining the subkey with the . 
plaintext derived input, such as MultiDES. The symmetric cipher is typically a fast parallel bit-mse 
5 vector implementation of DES using a form of muhiplication for key insertion. The size of the bit- 
wise vector is preferably a muhiple of 8 such as 16, 32, or 64. MuhiDES is operative a sector at a 
time as well as a cluster at a time. 

The above methods and systems are usefial for many storage devices such as hard disks and such 
as the hard disk of a portable typically notebook computers in particular, 
10 It is understood that in figures 27-36, wherever addition or multiplication is used, a form of 

multiplication may be substituted. Likewise, parallel execution(s) may be combined using techniques 
of folding and/or blending. In the figures 27-36, the symbol +, not encircled, indicates standard 
addition. Step numbers witliin the set of figures 27-36 arc understood to be local to that set of figures 
unless specifically specified otherwise. The symbol +, encircled, indicates an exclusive-or operation. 
15 The symbol + in square indicates standard addition. 

Reference is now made to figure 27 which is a simplified flowchart illustration of a DES 
encryption method constmcted and operative in accordance with a preferred embodiment of the 
present invention. A suitable initial permutation (e.g. for step 10) and a suitable final permutation 
(e.g. for step 30 as well as for step 320) and a suitable DES key schedule (e.g. for step 50) are all 
20 described in Biham and Shamir's Appendix A, "Description of DES" and/or in the Glossary of the 
above-referenced Biham and Shamir publication. 

To obtain an inverse of the P permutation, conventional methods may be used to compute an 
inverse of the P permuution described in Biham and Shamir's Appendix A and/or glossary of the 
Biham and Shamir publication. 
25 The subkey table generated in step SO may, for example, be stored on a hard disk. It is stressed 
again that a form of multiplication specifically includes common addition as a possible form. 

Figure 28 is a Muiplilied flowcharl illustration ofa first preleired method for perfonning an n'th 
DES round forming part of the method of previous figure, using addition to combine subkey with 
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plain text derived input of the method of the previous figure (step 80). The method of the current 
figure uses a form of multiplication to combine subkey with plain tract derived input. 

Figure 29 is a simplified flowchart illustration of a second preferred method for performing an n'th 
DES round (step 80) employing a form of multiplication part of the method of figure 27. The 
5 method of the current figure, like the previous figure, uses a form of multiplication to combme a 
subkey with plain text derived input. However, in the previous figure, only a single plain text is 
typically cnciyptcd at a time whereas in the current figure, a plurality T of plain texts, such as T = 32 
plain texts, each including I bits (typically 1=64) are encrypted simultaneously. Typically, the DES 
encryption method of figure 27 is repeated T times and the i'th performance (T=l, .... I) of the DES 
10 encryption method of figure 27 enciypts an i'th bit of each of the plain texts. Optionally, third and 
fourth permutations may be used which respectively replace the first and second permutations of 
steps 40 and 120 respectively. The third permutation is defined by assodating the i'th bit of the I'th 
plain text derived input. The fourth permutation is defined by associating the i'th bit of the t'th 
ciphered text (t=l, T) with tiie t'th bit of the i'th final round output. If a pluraUty of plain texts 
15 are encrypted simultaneously using exclusive-or to combine subkey with plain text derived input, then 
the encryption output is no different than it would be if tiie pluraUty of plain texts were to be 
encrypted one by one, the only advantage of simultaneous encryptions being speed. However, if as is 
shown in the previous figure, the pluralhy of plain texts are encrypted simultaneously using a form of 
multiplication (not exclusive-or or anotiier bit-wise operation) to combine subkey with plain text 
20 derived input, then the encryption output is different than it would be if the plurality of plain texts 
were to be encrypted one by one. It is appreciated that because the results of the encryption method 
of the current figure arc different than the results of conventional DiiS, the initial and final 
permutations of DFS may be skipped, to increase speed. When step S^d is performed for a first 
round of DES encryption (n-l in figure 27) the plain text derived input typically comprises the plain 
25 text itself When step 3 10 is performed for a subsequent round of DHS encryption (n>l in figure 27) 
the plain text derived input typically comprises the output sequence of 64 integers generated in step 
370 of the previous round n- 1 . The expansion table used in the current figure, step 3 1 0 is typicafly 
the same expansion tabic used in figure 28, step 140. Step 350 may be performed using any of 
possible logic gate configurations described herein and others. In the current figure, the length of - 
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each subkey-derived integer and each plain text derived integer may be any suitable length such as 8 
bits, 16 bits, 32 bits or 64 bits. 

Figure 30 is a simplified flowchart illustration of a modification of figure 28 in which first and 
second permutations and mapping are employed to perform the DES round; useful when steps 10 - 
5 30 . are employed. In the method of the current figure, the mappini; generated in step 30 is employed 
to perfomi a DES round. 

I'igurc 3 1 is a simplified flowchart illustration of a tliird preferred method for performing an n'th 
DES round forming part of the method of figure 27, wherein subkeys are combined with plain text 
derived input using a fonn of muhipHcation as shown, A preferred method of the current figure is 
10 combination of s-boxes, permutation and expansion into a single table look-up. 

Figure 32 is a simplified flowchart illustration of a DES enciyption method constructed and 
operative in accordance with another prefen ed embodiment of the present invention. 

Figure 33 is a simplified flowchart illustration of a fourth preferred method for performing an n*th 
DES round formmg part of the method of figure 32, using multiplication to combine subkey vAth 
1 5 plain text derived input. 

Figure 34 a simplified flowchart illustration of a fifth preferred method for performing an n'th DES 
round forming pan of the mcthcul of figure 32. 

Figure 35 a simplified flowchart illustration of a modification of figure 33 in which first and 
second permutations and mapping are employed to perform the DES rotmd. 
20 Figure 36 is a simplified flowchart illustration of a sixth preferred method for performing an n'th 
DES round forming part of the method of figure 32, 

Appendices include a description of research based on findings which indicate that replacing tlic 
exdusive-or operation with an addition operation, with the F fiinction described by Riham and 
Shamir, does not always yield a weaker cryptosystem, contrary to the teachings of Biham and Shamir 
25 in section 4.5.3. 1 of Chapter 4 of the above-referenced Biham-Shamir publication. The research 
findings described in appendices also indicate that replacement of exclusive or within the F function 
by common multiplication with final carry discarded is» in certain situations, stronger than 
conventional DES methods. The research findings also suggest that replacement of exclusive-or 
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within the F function by multiplication over a ring is preferable to replacement of the same by 
common muhipHcation with final carry discarded. 

The method of ihe present invenlion provides a rapid, siniple, and secure means Tor controlling a 
microprocessor to effect symmetric message authentication, one-way hashing with or wthout a key, 

5 and a symmetric block cipher. 

Many other variations are possible, for example, the expansion mapping is unnecessary when a 
form of multiplication is used for key insertion. Other variations are possible, for example, the key 
insertion and folding operations can be applied to a variety of ciphers to yield improved block size 
regardless of whether the Feistel structure or a totally different construction is used. 

10 Other variations are possible, for example, the key insertion and folding operations can be applied 
to a cipher whose block length is any arbitrary amount shorter than the designated block length by 
replacing the influence of plain text derived input by additional subkeys in each roxmd. For example, 
lo shorten a 64-bil block cipher to 48-bits only simply encrypl nomially, but at the slarl of each round 
where plain text derived input is required use 48-bits only and use additional I6-bits of subkey that 

15 round. The key schedule would require more rounds at key set-up time to effectively generate the 
additional subkey bits for each round. 

Other variations are possible, for example, the key insertion and folding operations can be applied 
to a cipher fur whom every s-box is influenced by every plain text derived input bit in a round. Tn 
place of the blending operation described, use form of multiplication for key insertion again on a 

20 distinct set of subkeys. These results can be blended between the first and third s-box inputs as well 
as the second and founh s-box inputs. Blending takes half of the output from one of the arguments 
and the other half from the other. 

Other variations are possible, tor example, the key insertion and folding operations can be 
modified so as to use any group operation or operation which combines a few group operations. For 

25 example, the folding can be done using addition, subtraction, or even modular multiplication or 
diA^ion. 

Other variations are possible, for example, the key insertion and folding operations can be 
combined with a bil .slice implementaiion where the size may be chosen based on considerations of 
existence of Fermat primes. 
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Likewise, common multiplication can be used as an expansion operation instead of the standard £ 
mapping. Multiplication of a 32 bit subkey by a 32 bit plain text derived input, yieltis a 64 bit 
quantity. We may discard the upper and lower 8 bits of the result,, leaving us with 48 bits which can 
be fed into the S-boxes. Likewise, the expansion mapping could be accomplished after the key 
5 insertion operation. This has the advantage and object of simplifying the round function and causing 
the bits entering the s-box to depend on a plurality of plain text derived input bits as distinct from the 
prior an wherein the dependence is on a single plain text derived input bit. 

Execution of two operations of block or stream encryption in parallel can employ common 
multiplication with exclusive-or to fold the upper half of the result of the multiplication into the lower 

10 half of the companion execution. This is referred to as MultiDES based systems, one embodiment of 
the method of the present invention. An object and advantage is to extend the key-block length by 
causing mutual tnlluence of plain text derived input bits on the other respective round output. 

If the two operations are MultiDES based systems with bit-slice implementation, one embodiment 
of the method of the present invention, encryptions running in parallel, similar folding techniques can 

15 be applied in parallel yielding a 1024-2048-4096 bit block cipher called MultiDES based systems with 
bit-slice implementation, one embodiment of the method of the present invention. An object and 
advantage is to extend the key-block length by causing mutual interference of plain text derived input 
bits on the other re.^ipective round output. Moreover, a five-fold speed increase h achieved relative to 
the embodiment with non-bit-slice s-boxes. 

20 The bit-slice implementation does not need to encrypt exactly 64 plain texts at once. Rather, 
preferably and optionally, encrypt 4, 8, 16, or 32 at a time. This enables the group operation of 
multiplication using a Fcrmat prime to combine 16-bit subkey with 16-bit plain text derived input. 
Naturally, simuhaneous encryption of 2, 4, and 8 plain texts typically use multiplication over a field 
modulo a Fermat prime. Multiplication over a field modulo a Fermat prime can be improved relative 

25 to the all-zero key by treating zero as "-1" over the field. An object and advantage of modular 

multiplication is due to being a permutation, it is known that all bits in the domain and range are used. 

Tn fact, use of common mukipKcation using some method such as exclusive-or to fold the upper 
and lower halves together, or multiplication over a ring (or a field) should yield similar rcsults. 
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Unlike Biham*s solution, this is not plug-conqsatible with prior art DES. Rather, it causes each of 
the 16-bit plain text derived inputs in a ipvcn round to influence at least one bit in every other 
simultaneous encryption. Becaujie ihere exists a given 16-bil input, for a fixed key, yielding any 
particular desired output bit combination. Thus, Shaimon's criteria of diflfusion and confusion are 

5 better satisfied. Multiplication over a field defined by a Fermat prime is no longer computationally 
expensive in the Intel microprocessor architectures. Our method would extend to any method of 
multiplication which could be simply expressed as a combination of the resulting two input-sized 
results from common multipVication. The group operdtion chosen within a round to combine the 
subkey with plain text-derived-input need not be constant frorn round to round. The method of the 

10 present invention may be cascaded, used before or after known or to be invented methods, 

Advanugcs and objects of the bit-slice ramification of method of the current embodiment of the 
present invention include additional speed, additional block size, eflTective hardware implemenialions, 
encryption block size matching that of public-key algorithms such as RSA, convenient stream cipher, 
and powerful hash function. 

15 One advantage and object of the method of the present invention is increased speed. MuWDES 

based systems with bit-slice implementation, one embodiment of the method of the present invention, 
achieve block throughput rates averaging about five times as fast as prior art DES. This improvement 
is achieved without reducing the number of rounds. 

Another advantage and object of the method of the present invention is increased block size. 

20 The huge block size ranging firom 5 12 bits to 4096 bits breaks up local patterns effectively and 

depends on every single bit of key and/or plain text input. 

Another advantage and object of the method of the present mvention is eflFective hardware 
implementations. 

The approach is suitable for use on many computers not limhed to 64-bit microprocessors 
25 such as the DEC Alpha, or on 32-bit microprocessors as the Intel Pentium. Likewise, an efficient 
example implementation using logic gates has been accomplished. 

Another advantage and object of the method of the present invention is encryption block size 
matching that of public key systems. For the first time, a secure symmetric system achieves the same 
block size as RSA. 
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Thus, it would be a natural partner to RSA in new protocols. For example: 
1. signatures based on a partial or folded output of MultiDES based systems with bit-slice 
iniplenientalion, one euibodimeni oflhe method ofihe present invention. 

2- zero-knowledge identification in which partial outputs of MultiDES based systems with bit- 
5 slice implementation, one embodiment of the method of the present invention are shown. 
3. digital cash in which spending a coin reveals a key and partial output 
double spending would be caught when more output is revealed. 

Another advantage and object of the method of the present invention is an effective stream 
cijpher and hash function. The ability to effectively mix significant chunks of data allows for a natural 
10 application as a pseudo-random number generator to be used as part of a stream cipher. Likewise, 
huge inputs are rapidly hashed to the desired size. 

An advantage and object of the archetecture of the present invention is that sleep to disk causes 
encryption of memory being written to disk and/or erasure of the master key in memory prior to 
writing to disk. 

15 Another advantage and object of the archetecture of the present invention is that an enemy who 
captures of a computer wliich is powered off (or m sman-slccp state where memory is written to 
disk) gains nothing except the encrypted data. 

Another advantage and object of the archeteaure is that recovering the data requires either 
knowledge of the pass phrase or equivalent of breaking an accepted or patented encryption method. 
20 Another advantage and object of the archetecture is that typically, identical files encrypted under 
the same key do not yield even the same initial encrypted block. 

Another advantage and object of the archetecmre is that typically, files which are not 
cryptographically sensative are not automatically encrypted. 

Another advantage and object of the archetecture is that typically, user files and newly created 
2.'> files are automatically encrypted. 

Another advantage and object of the architecture is that typically, encrypted and plaintext files co- 
exist on all but the most security intensive systems. 

Another optional advantage of the architecture is that it is not obvious that encryption has been 
used except for used hard disk space for which no files lay claim. 
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Another application and objert of the method of the present invention being in a wide variety of 
applications including fast communication links and local applications e.g. tor confidentiality and 
aulhenlicalion purposes, particularly including aulomalic, background encryption of hard disks of 
notebook computers, preferably on a file-by-file basis; encryption of file names on a storage medium; 

5 encryption of file contents, encryption of file names of those fdes and omission of information 

regarding those files fi-om file directory listings; trapping all READs and WRITES to the disk either 
on the DOS level or on the BIOS level; trapping any "sleep" mode writing to a disk of a notebook or 
desktop computer, clustcr-by-cluster encryption; seaor by sector encryption; use of bits in an 
attribute byte for deciding where or not to encrypt a file; use of cipher block or subkey generation 

10 chaining mode over the largest block read or written by the chosen operating system as a smgle unit 
(typically a sector, cluster or track), employing sector number, track number, head number, cylinder 
number, cluster number, disk drive serial number, and any other available information to characterise 
a present location within a specific hard disk; and encryption of a cipher key and placing it in a 
location within a hard disk which is easily addressable given the cluster number of a cluster within a 

15 file. For example, the easily addressable location may be the last bytes of a last cluster in file which 
contains a cluster whose number is given or in the directory or cluster aUocation infoimation related 
to file. 

Another suitable method for implementing the method of the present invention involves 
optimisation of 32-bit parallelism and 32-bit registers running m protected mode or optimisation of 
20 16-bit paraUeUsm and 16-bit registers running in real mode or optimisation of 32-bit paralleUsra and 
32-bit registers running in real mode with 32-bit op-codes or optimisation of 64-bit parallelism and 
64-bit registers niiming in real mode using a floatirig point unit to perform 64-bit arithmetic 
operations. Preferably, each input register to any of aritiimetic operations shown and described m 
figures 27-36 is fiilly utilised but carries are preferably ignored as necessary depending on size of 

25 available registers. 

WORK ON PRESENT INVENTION: IMPLEMENTATION DETAILS 

Various previously described features of the present invention were tested in actual 
implementations of cryptographic software for performing the methods of the present invention. The 
described techniques were appUed to improve the preferred method of the present invention, yielding 
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speed of implementation of 16,000 bytes per second on a Pentium 120 Mhz machine. Some 
approaches to enhance speed included the followinij: calculatinij the 16 sub-keys in advance, instead 
of for each plain text. In calculating the sub-keys, the method combined the: initial key permutation, 
key shift per round, compression permutation and output a 48 by 16 table, relating position of 
5 compression bit with bit position of original key. Further, the method combined the P-box 
permutation, the initial and final permutations, and the Expansion Permutation, into the H and F 
tables, causing the P-box permutation to * disappear' . Thus, a preferred method of the present 
invention was implemented as follows: The subkey bit positions (by round) were calculated in 
advance. The plain text was permuted by an F[J table, and then split into fl [J and f2U with f2[J being 

10 used in a round. In each round, the H[] table re-ordered £2[] Reordered bits were then applied the 
fimciion exclusivc-or with the subkey. The S-boxes were viewed as an array of 64 values. Then the 
function exclusive-or value was applied to the element number value in that position in the array of 
the S-box output. f3 [] was then applied to the fiinction cxclusivc-or rcsuk of fl [1 and the S-box 
output. At the end of each round (including the last), £2[] was copied into fl[] and £3[] was copied 

15 into f2\]. After the 1 6 rounds, a T[] tables determined the cipher text bit positions from fl [] and f2[]. 
A preferred embodiment of the machine of the present invention was enhanced with programming 
techniques to speed up the program. New speed recorded was 34,000 bytes per second on a Pentium 
120 Mhz machine. Techniques employed included using integer registers, and using an 'nbit* 2 
dimensional table, where the row number was the numerical value, and the row itself was the bit 

20 representation of that value. In going from nibbles to bits, the method copied the nbit[row] where 
row was the value of the nibble. (16 rows in all). Additional steps included changing fifl, fl\] and 
f3[] to a 2-dimensional table, f[][] where the row value was represented by variables fO, fl^ £2. 
initialized as 0,1 ,2 respectively. From round to round 1 modulo 3 was added to these values. The 
steps in each round were now as follows: the nbit's at row fl [\ were copied to an array called %it' 

25 For each S-box input: used U[] value to choose a bit from fbit: used Left Shift and exclusive-or to 
accumulate k Exclusive-or k with the sub-key [round, S-box]. £[£2] = S-box[k] ^ f[fD]. Rotated: 
ni-lD, ID-fl, ri-r2, n-m even at the end of the last round. 

The method used also applied bit-slice methodology enabled encrypting 32 plain texts at a time. 
The speed was 506,000 bytes per second on a Pentium 120 Mhz machine, 257^000 bytes per second 
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included the bit-spUtting that proved that this was in fact an implementation of DES. An 
implementation included; the 64-bit key was converted to the 16 round sub-keys, except that each bit 
was expanded to an integer of 32 bits. Therefore, each subkey contained 48 integers, each integer 
was either all zeros or all ones. 

5 A machine started operation by reading 32 blocks of 64.bit plain texts for a total of 64 integers 
were at a time. Every 2 integers represented one plain text. The data was optionally re-arranged as 
follows. E%'ciy plain text has 64 bit position. Each bh went into a separate integer. The bits of the first 
plain text went into the high order position of each integer. The bits of the second plain text went into 
the next highest order and so on. As a resuh each output integer represents one bit poshion of every 

10 plain text. The implementation foUows the ideas of combining permutations. The plain text was 
permuted by an F[] Uble, and then spUt into fIfD] and flfl] with f[fl] to be appUed the fimction 
e.xclusive-or with the sub-key. In each round, the HU table re-orders an J. The reordered bits were 
then appUed the function exdusive-or with the subkey, with the result going into an array of 48 
integers. 

15 The data went into the logic_gatesO routine, which was described in detail in a description of 
figure 9. The logic-gates mimicked the S-boxes by viewing each output integer as a fimction of 6 
input integers. f[iT.] - flffl] applied fimction exdusive-or with the logic gate output. fO, fl, and fZ 
values rotate (m=fD; fD=fl ; fl=t2; t2=m) even at the end of the last round. After the 16 rounds, a T[] 
tables detemimes the cipher text bit positions fi-om f[fDl and f[fl]. FmaUy, the bits were re-arranged. 

20 in a procedure reverse of the original: Each cipher text contains one bit position of each of 64 
imegers. 

The Bit SpUt and the Undo SpUt were csscntiaUy an input and final permutation, and can be 
omitted without compromising security. They were retained to prove that this program was in fact an 
implementation of DES. The speed of a preferred embodiment of the present invention for executing 
23 triple-DES was 171,000 bytes per second on a Pentium 120 Mhz machine. 127,000 bytes per second 
included the bit-spUtting. Triple-DES was 1/3 as fast as DES without bit splitting and H as fest as 
DES wilh bit spliuing. A preferred embodimeni of the machine of the present invention for triple- 
DES used 3 keys, it encrypted with the first, decrypts with the second and encrypts again with the 
third. This embodiment was tested by setting the second and third keys to be identical. The program 
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was almost identical to that of a previous implementation described above except that it used 48 rounds. 
Subkey generation pre-calculation stored the sub-keys in decryption phase in reverse order. Created 
5 160,000 encryption in 44 seconds. Plain texts were generated by a random generator, employed DES on 
plain texts to yield cipher tests. Timed random generator as generating 7 million bytes if data in 32 
seconds, which came out to 6 seconds for amount of data uses. Therefore, the DES operations took 38 
seconds. Results were con^ared to a test bed of data. Called the random generator only one for the initial 
plain text. Called DES using the output of the previous call as input to the current call. The mechanisms 

10 for timing was constructed as follows. For this particular test the software did not write out to disk, and 
the clock was started right before the first call to DES. At end of the program, calculated speed by time 
elapsed to encrypt 10,000 * 32 blocks of data. 

A reduced P permutation is a permutation substantially similar to those shown in figure 8. 

The method of the present invention relates to using a form of multiplication as the key insertion 

15 operation and related folding methodologies useful to form a shorter input length keyed hash function. 
Another method of the present invention employs bit-slice methods. The preferred embodiment of the 
method of the present invention is rapid, simple and can be shown superior to prior art DES which has 
faced the tests of time. The method of the present invention achieves a 256-bit input size, yielding a 128- 
bit output in the preferred embodiment. 

20 It is appreciated that various features of die invention which are, for clarity, described in the 

contexts of separate embodiments may also be provided in combination in a single embodiment 
Conversely, various features of the invention which are for brevity, described in the context of a single 
embodiment may also be provided separately or in any suitable subcombination. 

It is appreciated that various features of the invention which are. for clarity described in the 

25 contexts of separate embodiments may also be provided in combination in a single embodiment. 
Conversely, various features of the invention which are for brevity described in 

the context of a single embodiment may also be provided separately or in any suitable subcombination. 

It is appreciated that the software components of the present invention may, if desired, be 
implemented in ROM (read only memory) form. The software components may, generally, be 
30 implemented in hardware, if desired, using conventional techniques. 

While the above description contains many details, these should not be construed as limitations 

on the scope of the method of the present invention, but rather as an exemplification of at least one 
preferred embodiment thereof Accordingly, the scope of the present invention should be determined not 
only by the embodiment(s) illustrated including appendices, but also by the appended claims and their 
35 legal equivalents. 
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APPENDIX 

THEORY OF OPERATION 
RArKGROUNn FOR THEORY 

Multi-DES is a new cipher based on standard DBS with the same 
modification as SuperDES without the bit-slice implementation. For 

5 analysis, we defined a variant of common multiplication wherein the upper 
half of the result is discarded. Differential cryptanalysis using the XOR as 
the differential yielded so many restrictions on the key as to make the 
number of possible characteristics insufficient to recover all possible keys. 
The best characteristics which we were able to find multiplied by the 

10 likelihood of a key satisfying it was approximately the cost of exhaustive 
search. Thus MultiDES is stronger than DBS. 

Continuing our analysis, we defined a variant wherein the multiplication is 
done over a field. One example of a field is that generated by multiplication 
modulo 2"+l (when such a number is prime). Thus, we changed the group 

15 differential from XOR to ratio over a field. We attempted to build 

differential distribution tables for the behavior of the input and output ratio 
over the field for the s-boxes. Likewise, we needed such difference tables 
for the combination of the P permutation composed with the E expansion. 
This further decreased the chance of any successful differential. Moreover, 

20 connection from one round to the next of the characteristic cost additional 
probability. 

Because these variants, e.g. where n=16, simply the tables defined were 
large, we, for analysis, defined a reduced variant from 12 to 8 bits (with the 
expansion mapping defined accordingly). Likewise, because attack on 16 
25 rounds was difficult, chose to attack two rounds using heavily the properties 
of the Feistel structure of DES. 
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ATTEMPTED CRYPTANALYSIS of METHOD AND MACHINE 
To effectively evaluate the potential of the TMD cipher, we attacked it with 
known cryptanalytic methods. Since the TMD cipher is a tandem 
5 application of two or more MultiDES encryptions we began our analysis by 
studying Differential Cryptanalysis of MultiDES. 

MultiDES replaces the internal XOR in the F round of DES with common 
multiplication. Upon study of differential cryptanalysis, we found that 
substitution of common multiplication for XOR in the F function of DES 
10 yields a cryptosystem which is different from DES, We investigate the 
behavior of the MultiDES input difference K(E'): 

K(E')= (K • E) + (K • E*) (1) 

Where : 

E'= E + E* (2) 

15 Here K is a Key, E' is the XOR input difference (as used in differential 
cryptanalysis of DES), E and E* are input plaintexts. E% E and E* are all 
valid expanded texts which obey the e-expansion. 

In differential cryptanalysis we seek input differences to the substitution 
boxes which form the best iterative characteristics, those having the highest 

20 relative probability. Using some of these best choices for characteristics we 
will show MultiDES is stronger than DES in a differential cryptanalysis 
attack based on classical difference distributions. In addition, we will show 
that limitations are placed on the key space for compliance with the best 
characteristics chosen; consequently, weak keys, those that comply with 

25 high probability characteristics and allow a differential cryptanlysis attack, 
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are few. 

Limitations are placed on the possible bit patterns for a valid expanded text 
(E, E*). When a 32 bit text is expanded into a 48 bit text (12 nibbles in Hex 
5 notation) nibbles 2, 5, 8, and 1 1 of the expanded text must be symmetric, in 
the sense that, the two left bits of the nibble must be identical to the two 
right bits of the nibble. This is true, since these particular nibbles have bits 
that are shared by adjacent substitution boxes. This limits the Hex value of 
these nibbles to 0, 5, A, or F. The remaining nibbles must have adjacent 

10 nibble symmetries, in the sense that, the two rightmost bits of nibble i (i=l, 
3, 4, 6, 7, 9, 10, 12) must be identical to the two leftmost bits of nibble i+1. 
Therefore, the expanded text pattern (E, E*) associated with a given 
substitution box (before key multiplication) is limited according to the 
particular nibbles it contains. The result of the common multiplication of the 

15 expanded text and the subkey, K(E'), is not required to be a valid e- 

expansion entity. This iterative characteristic can be formed, for a given 
substitution box, from input differences which yield a zero output 
difference with a high probability. 

In particular, for best results, we consider input differences that affect only 
20 isolated substitution boxes. 

In order to meet the isolated substitution box constraint, we have limitations 
on the bit patterns of the two nibbles of the input difference. It is noted for 
convenience, that the nibbles of the input difference for a particular 
25 substitution box are related to the nibbles that enter the particular 

substitution box in the following way. For even numbered substitution 
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boxes (2, 4, 6, or 8), the input difference nibbles are mapped directly from 
the nibbles entering the substitution box (the right nibble of the input 
difference is the right nibble that entered that particular substitution box and 
the left nibble of the input difference is the left nibble that entered that 
5 substitution box ).For odd numbered substitution boxes (1 , 3, 5, or 7), the 
bits of the input difference nibbles are not mapped directly to the bits of the 
nibbles entering that substitution box; but rather, the right nibble of the 
input difference is composed of the two leftmost bits of the right nibble 
entering that substitution box with the two rightmost bits of the left nibble 
10 entering that substitution box, while the left nibble of the input difference, is 
composed of the two leftmost bits of the left nibble entering that 
substitution box with the two rightmost bits of a nibble from the previous 
substitution box. For input differences entering an even or an odd 
substitution box the leftmost two bits of the left nibble (of the input 
15 difference) must be zero, since they are in a previous substitution box. In 
addition; since, both E and E* must obey the e-expansion and also not 
affect neighboring substitution boxes, they both have the two leftmost bits 
of their left nibbles and the two rightmost bits of their right nibbles zero. 
Moreover, we note that the two rightmost bits of an input pattern are 
20 conserved over key multiplication (i.e., the two rightmost bits of the input 
pattern K(E') which are obtained after key multiplication with E and E* 
remain zero, as they were in E, E*, irrespective of the key).Therefore, for 
any substitution box, both the two leftmost bits of the left nibble and the 
two rightmost bits of the right nibble, of the input difference, must be zero. 
25 Consequently, the input difference K(E') is limited to the Hex values: 0, 04, 
08, OC, 10, 14, 18, IC, 20, 24, 28, 2C, 30, 34, 38, or 3C. For example, in 
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substitution box 4, an input difference of 28 Hex meets all constraints and is 
a candidate from which we can obtain a high probability iterative 
characteristic; since, 

Prob(28^0) is 16/64 = %. 

(It is noted that the only high probability (1/4) entry in any substitution box 
Difference Distribution Table which also obeys the input difference 
constraints listed above is the input difference 28^ in substitution box 4). 

In order to fully understand the behavior of Eq. (1), we first studied a 
version of MuItiDES in which common multiplication is performed in each 
substitution box independently. The input to a particular substitution box is 
therefore only a product of the expanded text associated with that 
substitution box (a six bit entity) and the bits of subkey associated with that 
particular substitution box (six bits of subkey). The result of the common 
multiplication of two six bit entities is an eleven bit entity. We discard the 
five bits of the upper half (left half) of the result of the common 
multiplication; and, retain only the six bits of the lower half (right half), and 
use these six bits as the input to the substitution box. 

The input difference of Eq. (1) is not generally conserved with respect to the 
XOR input difference Eq.(2). For the particular case of a zero input XOR 
(E' = 0), Eqs.(l) and (2) are equal, and the input difference for MuItiDES is 
identical to the XOR case. This case is of no practical use in differential 
cryptanalysis since all keys are equally probable. We now introduce a 
Lemma which will assist in the selection of characteristics. 

Lemma : If r is the bit location ( counted from the right of the bit pattern) 
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of the first non-zero bit in the XOR input difference E', and s the bit 
position 

(counted from the right of the bit pattern) of the first non-zero bit in the key 
K, then the first non-zero bit in the MuItiDES input difference K(E') is 
5 located at bit position r + s - 1 (counted form the right of the bit pattem of 
K(E')). 

Corollary : E' can only have a unique non-zero bit. 



The corollary results from the obser\'ation that Eq. (1) holds together with 
10 the conditions of the Lemma, if and only if, when multiplying both E and 
E* by a constant (the key) and XORing the result, an input difference K(E') 
is obtained which is a shifted bit pattem of the key. (For input XOR's, E', 
having more than one non-zero bit, K(E') is not a shifted bit pattem of the 
key.) 

15 In the case at point, input difference to substitution box 4 having Hex bit 
pattem 28 (101000), r + s -I = 4. This means there are several choices for 
characteristics: 

r = 4 s = l, 
r = 3 s = 2. 

20 This constrains the choices of E' and the corresponding keys which can 
give a given K(E'). 

These r values (together with the corollary) limit the input XOR, E% into 
substitution box 4, to 08, and 04 (Hex). 

These s values give us our first constraints on the subkey bits entering 
25 substitution box 4. Allowable keys have bit patterns of xxxxx 1 or xxxx 1 0 
(where x can be arbitrarily 0 or 1 ). We now show additional constraints on 
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the key bits entering substitution box 4. 
Case r = 4. s = 1 : 

Assume the key, K, has piece entering substitution box 4 with bits k, kj 
5 k4 kj kg. (These bits are those entering substitution box 4 and are 

numbered for convenience with respect to this substitution box, but they are 
really bits 19-24 of the subkey, as counted from left to right or bits 25 to 29 
when counted from right to left.) 
Since s = 1 , k^ = 1 . 

10 Assume E has bits a b c d f g and E* has bits a* b* c* d* f*= g* ,entering 
substitution box 4. 

To comply with the Lemma and its corollary, E'= 000008000000 (Hex), 
and therefore, c must compliment c*. 

Without loss of generaUty we can write: a = a*, b =b*, c <> c*, d = d*, f = 
15 f* and 

g = g*. We can also set c = I, causing c* = 0. 
Consider the expression: 

E* - K= (E • K) + (E' - K) 

(3) 

20 

We evaluate the right hand side of Eq. (3). 

(E' • K) = (0 0 1 0 0 0) • (k, k2 ka ks 1) whose right half pattern is k4 kg 
1 000. 

25 (E ■ K) is unknown and assumed to have bit pattern: A B C D F G. 
(E* " K) is given Eq. (3) and evaluated : 
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A B C D F G 

k4 ks 1 0 0 0 
A* B* C* D F G 

The following conditions are automatically valid: C <> C*, D = D*, F = 
F*, G = G*, 

In addition; since, K(E*) (Eq. <!)) was set at (Hex) 28, (bit pattern 10 10 0 
0). 

A o A*, and B = B*. 

We now examine carry arithmetic involving the bits B, B* ; and A, A* of 
(E • K) and (E* ' K). 

Carry arithmetic : 

We are going to calculate carry in the addition: (E " K) + (E' • K). Suppose 
we have sum U+V=W in binary signature with corresponding bits Uj , and 
W; in column I 

(i = 0, 1, n). The preliminary value of sum in column i+1 is Sumi+, = Uj+i 
+ Vj+, + carry;. The real value of sum in column i+1 is Wj+1 = Sumi+, (mod 
2). Since Uq+Vq <= 1+1=2 we have carryo 1- Suppose that 0 <= carryj <= 
1. Then Sumj+,= Ui+,+Vi+,+ carryj <= 3. Therefore 0 <= carryi+,= (Sumj+i- 
Wi+,)/2<=l. 

So always 0 <= carrv: <=1 . Wi= Sum;- 2 carryj. 
In general: 

Wj = Uj + Vj + carryj+i - 2 carry, 
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(4) 

We investigate the carry arithmetic for our conditions B = B*, A <> A*: 

B* = B 4- k5 + carryc - 2 carryu 

(5) 

Now B* = B . if and only if, kg + carryc - 2 carryc = 0 (mod 2). 

If carrys = 0 then kg + carry^ = 0 (mod 2)^ but carryc therefore = 

C. 

If carrye = 1 then kg + carryc -2 = 0 (mod 2), but carryc = C, 
therefore, kg + C - 2 = 0 (mod 2) 

If C = 1 then k5= 1 , if C = 0 then k5= 0 , therefore k5= C. 
We conclude that: B* = B if and only if k5= C. 

A* = A + k4 + carry^ - 2 carry^ 

(6) 

Now A* o A . if and only if, k4 + carrye o 0 (mod 2) (since 2 carry^ 
mod 2 is 0 for carry^^ 0 or 1) , or when k4 <> carry^ . 

Examine two cases C = 0 and C = 1 : 

When C = 0, then ks = 0, carryc 0. carrye = 0 if and only if k4 =1, 
When C = I, then ks = 1, carryc = 1, carry^ = 1 if and only if k4 =0. 
We conclude, that in all cases, the key bits k4 o kg, and k^ = 1 . 
The input XOR, E% is limited to two values, 80 and 40 (Hex), which 
comply with an input difference K(E') of 28 (Hex) after key multiplication. 
The transition 28 (Hex) -> 0, for substitution box 4, occurs with probability 
16/64, This means that only 1 6 correct pairs (E, E*) exist which yield the 
output difference 0. However, each E' also has an associated 1 6 (E, E*) 
pairs (total of 32 pairs). Therefore, only half the possible (E, E*) pairs are 
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correct ones and this reduces the overall probability by Yi . The probability 
of this characteristic (as shown in Figure 20) becomes (Ya) (Yi) = 1/8 , To be 
useful we must apply this characteristic iteralively over the MultiDES 
rounds. 

5 

Key schedule compliance 

In order to use this characteristic iteratively the conditions on the key bits 
must be obeyed for all sixteen rounds. This must be checked via the key 
scheduling algorithm to ascertain that throughout the sixteen rounds no 

10 violations of these conditions are encountered. We used the key schedule of 
DES for our analysis, with the knowledge that even, independently 
generated keys should not severely alter our conclusions. The key schedule 
in DES involves an initial permutation which selects 56 from 64 bits, a 
dividing of the 56 bits into two 28 bit halves, a circular shift left 1 or 2 bits 

15 depending on round number and a permuted choice to select 48 subkey bits. 
At each round a different key bit assumes key bit location (which is 
really key bit location 24, counting from right to left, with respect to the 
round subkey) and will therefore be constrained to the value 1. Therefore 16 
key bits are constrained to the value I. In addition 16x2 different key bits 

20 assume key positions kg (locations 22 and 23, counting from right to 
left, with respect to the round subkey) and cannot be equal to each other 
Table VI lists key bits occupying key bit locations k4 , k5 and during 16 
rounds 

We conclude that: 
25 For odd rounds key bit IS cannot equal key bit 27. 

This is true since for round 1, 36 <> 27 and for round 5, 36 <> 9 and for 
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round 9, 

9 <> 18, therefore 18 o 27. 

However, we find that in round 1 key bit 1 8 is 1 and in round 5 key bit 27 is 
1, therefore we cannot iterate very far on odd rounds using this 
characteristic. 

For even rounds key bit 17 cannot equal key bit 44. 

This is true since for round 8, 26 o 17 and for round 12, 26 <> 35 and for 
round 16 35 <> 44, therefore 17 <> 44. 

However, we find that in round 12 key bit 17 is 1 and in round 8 key bit 44 
is 1, a contradiction. Therefore, we can apply this characteristic for only 15 
rounds (incompatibility occurs in round 16, where bit 44 contradicts with 
bit 35 and therefore with bit 17) with 14 conditions on the key bits. 

TABLE VI 
KEY BITS IN , k5 and k^ 
ROUND NUMBER BITS IN k^ , kg (o ) 

BITS INk^(=l) 



1 


36 


27 


18 


2 


57 


19 


10 


3 


41 


3 


59 


4 


25 


52 


43 


5 


9 


36 


27 


6 


58 


49 


11 


7 


42 


33 


60 


8 


26 


17 


44 
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9 


18 


o 


36 


10 


2 


58 


49 


11 


51 


42 


33 


12 


35 


26 


17 


13 


19 


10 


1 


14 


3 


59 


50 


15 


43 


52 


34 


16 


44 


35 


26 



We conclude that this 14 round characteristic has a probability of: 
PROB (14 roundsl (28^-^0)s4 = (1 / 2^ = 2'^^ 

(7) 

5 

Thus the attack on this modified MultiDES requires ~ 2^^ chosen plaintexts. 
Case r = 3. s = 2: 

Assume the key, K, has piece entering substitution box 4 with bits k, kj kj 
10 k4 kg k<5. 

(These bits are those entering substimtion box 4 and are numbered for 
convenience with respect to this substitution box, but they are really bits 19- 
24 of the subkey, as counted from left to right or bits 25 to 29 when counted 
from right to left.) Since 
15 s = 2, k5= land k^ = 0. 

Assume E has bits a b c d f g and E* has bits a* b* c* d* f* g* .entering 
substitution box 4. 

To comply with the lemma and its corollary, E'= 000004000000 (Hex), and 
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therefore, d must compliment d*. Without loss of generality we can write: a 
= a*, 

b =b*, c = c*, d <> d*, f = P and g = g*. We can also set d 0, causing d* 
= L 

Consider the expression: 

E* K= (E K) + (E' K) 

(3) 

We evaluate the right hand side of Eq. (3). 

(E' • K) = (0 0 0 1 0 0) • (k, k3 k^ 1 0) whose right half pattern is 1 
0 0 0. 

(E ' K) is unknown and assumed to have bit pattern: A B C D F G. 
(E* ' K) is given Eq. (3) and evaluated : 

A B C D F G 

•f 

k3 k4 1 0 0 0 

A* B* C* D F G 

The following conditions are automatically valid: C o C*, D = D*, F = 
F*, G = G*, 

carryc, carryp, and carry^, all equal zero. In addition; since, K(E') (Eq. 
(1)) was set at (Hex) 28, (bit pattern 1 0 1 0 0 0), A o A*, and B = B*. We 
investigate the carry arithmetic for our conditions B = B*, A o A*: 

B* = B + k4 + carryc - 2 carry b 

(8) 

Now B* = B . if and only if, k4 + carry^ = 0 (mod 2), or when k4 = carryc 
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. But carryc = C, therefore k4 = C. 

A* = A + k3 + carry B - 2 carry^ 

(9) 

Now A* <> A . if and only if, k3 + carryg <> 0 (mod 2), or when <> 
5 carryg 

Examine two cases C = 0 and C = 1 : 

When C = 0, then k4 = 0, carry^ = 0, carryp = 0 if and only if k3 =1, 
When C = I, then k4 = 1, carry^ = I, carry^ = 1 if and only if kj =0. 
. We conclude, that in all cases, the key bits k3 o k4, kg = 1 and k^ = 0. 

10 

The given constraints reduce the overall probability by i/2 (as noted in 
discussion of previous case). The probability of the input difference to 
achieve the desired output difference in substitution box 4; i.e, 
Prob[28x->0]s4 is ; therefore, the probability of this characteristic is 
15 (l/4)(l/2) = 1/8. To be useful we must apply this characteristic iteratively 
over the MultiDES rounds. 

We check for compliance with the key schedule. Table VII is a list of 
subkey bits which occupy key positions kj, k4, and kg. 
20 We conclude that: 
For odd rounds: 

From Table VII (round 1) key bit 1 cannot equal key bit 36; however, from 
Table VI we find that key for round 1 3 key bit 1 = 1 and for round 9 key bit 
36 = 1. Other contradictions exist. 
25 For even rounds: 

From Table VII, kj cannot equal k4; however, in round 2 kj = 58 and in 
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round 6 

k4 = 58. In addition, for round 4 k3 = 26 and in round 8 k4 = 26. 
Therefore, we cannot apply this characteristic for 1 6 rounds. 
This characteristic is useless for a complete differential cryptanalysis attack, 
5 It may be useful for independent keys which are not constrained to the DBS 
key schedule algorithm. 

MultiDES. general case 

We proceed to apply our methodology used on the isolated substitution box 
10 case, to the general case of MultiDES, in which common multiplication may 
affect neighboring substitution boxes. Again we will show MultiDES is 
stronger than DES in a differential cryptanalysis attack, and that the key 
space for compliance with high probability characteristics is limited, and the 
probability of success for the limited key space is less than in an attack 
15 against DES. 

In order to apply the techniques used previously, we note, that only for the 
first substitution box can the affect of common multiplication resemble the 
isolated substitution box case. Multiplying two bit patterns each of length i, 
results in a bit pattern of length 2i-l. This causes bit patterns of an input 

20 difference E' (E XOR E*) belonging to a higher substitution box, to affect, 
after key multiplication, the input difference pattem K(E') of a lower 
substitution box. Since we can choose the bit pattem of E' so that all bits 
not associated with substitution box 1 are set to zero (e.g., bits 1-42, 
counting from right to left of the round subkey), the desired substitution box 

25 will not be affected after key multiplication, by bit patterns of E% or of 
those of the key, that were not associated with substitution box 1 before the 
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multiplication. 

TABLE VH 
KEY BITS IN kj , k4 and kg 
ROUND NUMBER BITS IN kj , k4 (o ) 

5 BITS IN kg (=1) 



I 


1 


36 


27 


2 


57 


58 


19 


3 


42 


41 


3 


4 


26 


25 


52 


5 


10 


9 


36 


6 


59 


58 


49 


7 


43 


42 


33 


8 


27 


26 


17 


9 


19 


18 


9 


10 


3 


2 


58 


11 


52 


51 


42 


12 


36 


35 


26 


13 


49 


19 


10 


14 


33 


3 


59 


15 


17 


52 


43 


16 


9 


44 


35 



Moreover, for substitution box 1 we have no concern with bit interaction to 
a lower substitution box as a result of the multiplication step. We therefore. 
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select substitution box 1 for our attack. The input difference, K(E'), into 
substitution box 1 must only affect this box; hence, the last two bits of its 
bit pattern must be zero. Moreover, we seek an input difference which 
yields an iterative characteristic of the form shown in Fig. 12, i.e., one 
5 yielding a transition to an output difference of zero with high probabihty. 
The highest probability input difference for substitution box 1 yielding 
output difference zero (obtained from the Difference Distribution Table) is 
28 (Hex), with probability: 

10 Prob (28->0) is 12/64 = 3/16 

Applying the Lemma to 28 (hex) ( bit pattern 101000), in substitution box 
1, gives r +s -1 = 46, or r 4- s = 47 (counting from the right, bits 43-48 enter 
substitution box 1). As noted previously, E, E* and E' must be valid 
e-expansions and E' not affect previous or next substitution boxes. The 

15 nibbles 

entering substitution box 1 are nibbles 1 and 2 of the input XOR, E' (all of 
nibble 1 

and the leftmost 2 bits of nibble 2). To be a valid e-expansion, nibble 2 must 
be 

20 either 0, 5, A, or F. Only 0 for nibble 2 agrees with the condition that the 
input XOR 

will have its two rightmost bits both zero. This limits the possibilities for an 
E' associated with substitution box 1 to 00, 10, 20, 30. E^= 00 is not useful 
for a differential attack .Applying the Lemma to the case at point, input 

25 difference to substitution box 1 having Hex bit pattern 28 (001010), r + s -1 
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= 46, r + s = 47. This means there are several choices for characteristics: 
for r = 46, s = 1 (E' = 20, 30) 
for r = 45, s = 2 (E' = 10) 
Applying the Corollary of the Lemma, we eliminate E'=30 (Hex). 
5 This constrains the choices of E' and the corresponding keys which can 
give a given K(E'). 

These r values (together with the corollary) limit the input XOR, E', into 
substitution box 1 , to 20, and 1 0 (Hex). 

These s values give us our first constraints on the subkey bits entering 
10 substitution box 1 . Allowable keys have bit patterns of xxxxx I or xxxx 1 0 
(where x can be arbitrarily 0 or 1). We now show additional constraints on 

the key bits entering substitution box 1 . 

We select r = 46 or E' = 20 (Hex) (with bit pattern 0 01 0 0 0 0 0), giving s 
= 1, and 

15 therefore the last bit of the subkey entering substitution box 1 , = 1 . 
In an analysis identical to that for the isolated substitution box case, (and 
repeated here, in part, for convenience) we obtain the following: 

(E . K) : A B C D F G 

20 + 

(E' . K) : K ks 1 0 0 0 
A* B* C* D* F* G* 

Therefore C o C*, D = D*, F = F*, and G = G*, with carry^ carryp, 
25 carryo, all equal zero (carry,,, the carry into G* is also zero since bits 1 - 
42, conting from right to left, of E' are all zero) and carryc = C. 
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Since our input difference K(E') = 28 (Hex), A XOR A* = 1, B XOR B* = 
0, and A <> A*, and B = B*. 

We examine the carry arithmetic for B, B* and A, A*. 
5 B = B* + kg -i-carryc -Icarrye 

(5) 

B == B* if and only if -i-carrye = 0 (mod 2), -2 carrye is zero mod 2 for 
carryo = 0 or 1. 
10 Therefore, = carryc- But carry^ = C, therefore kg = C. 

A = A* + k4 +carryij -Zearry^ 

c 

(6) 

A o A* if and only if k4 +carryB o 0 (mod 2), therefore k4 <> carrye- 
15 Examine two cases C = 0 and C = 1 : 

When C = 0, then ks = 0, carryc = 0, carryg = 0 if and only if k4 =1, 
When C = 1, then ks = 1, carryc = 1. carryg = 1 if and only if k^ =0. 
We conclude, that in all cases, the key bits <> k^, and k^ = 1 • 



20 The input XOR, E', is limited to two values, 10 and 20 (Hex), which 

comply with an input difference K(E') of 28 (Hex) after key multiplication. 
The transition , 28 (Hex) -> 0, for substitution box 1, occurs with 
probability 12/64. This means that only 12 correct pairs (E, E*) exist which 
yield the output difference 0. However, each E' also has an associated 12 

25 (E, E*) pairs (total of 24 pairs). Therefore, only half the possible (E, E*) 
pairs are correct ones and this reduces the overall probability by '/z . 
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Therefore, the probability for this iterative characteristic is: 

PROB [1 round] (28,->0)s, = (l/2)*(3/2^) = 2"^-^^ (10) 

To be useful we must apply this characteristic iteratively over the MultiDES 
rounds. 

5 In order to use this characteristic iteratively we check the key schedule for 
compliance. We find conflicts with the key schedule for round 16. 
Therefore, we can only use this characteristic for 14 rounds. 
We conclude that this 14 round characteristic has a probability of: 

PROB [14 rounds] (28,->0)s, = (2*^-^V = 2 "'^^ -^2*^^ (11) 

10 In summary we note the following: 

This probability is for a given best characteristic, which applies only to 
specific keys. Such keys are rare. In the case above, although the 
characteristic has probability -2' , it only applies to 2* of the possible 
keys. Thus we conclude, their exists many keys for which there are no good 

15 characteristics by which to attack them. Therefore, MultiDES and its 
variants are cryptographically stronger than DES. 
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TABLE II 



E - Expansion 



32 


1 


2 


3 


4 


5 


4 


5 


6 


7 


8 


9 


8 


9 


10 


11 


12 


13 


12 


13 


14 


15 


16 


17 


16 


17 


18 


19 


20 


21 


20 


21 


22 


23 


24 


25 


24 


25 


26 


27 


28 


29 


28 


29 


30 


31 


32 


J 



5 TABLE III 

Substitution Boxes 



Substitution box 1 





0 


I 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


14 


15 


0 


14 


4 


13 


1 


2 


15 


11 


8 


3 


10 


6 


12 


5 


9 


0 


7 


1 


0 


15 


7 


4 


14 


2 


13 


1 


10 


6 


12 


11 


9 


5 


3 


8 


2 


4 


1 


14 


8 


13 


6 


2 


11 


15 


12 


9 


7 


3 


10 


5 


0 


3 


15 


12 


8 


2 


4 


9 


1 


7 


5 


11 


3 


14 


10 


0 


6 


13 


Substitution box 2 




0 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


14 


15 


0 


15 


1 


8 


14 


6 


11 


3 


4 


9 


7 


2 


13 


12 


0 


5 


10 


1 


3 


13 


4 


7 


15 


2 


8 


14 


12 


0 


1 


10 


6 


9 


11 


5 


2 


0 


14 


7 


11 


10 


4 


13 


1 


5 


8 


12 


6 


9 


3 


2 


15 


3 


13 


8 


10 


1 


3 


15 


4 


2 


11 


6 


7 


12 


0 


5 


14 


9 


Substitution box 3 




0 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


14 


15 


0 


10 


0 


9 


14 


6 


3 


15 


5 


1 


13 


12 


7 


11 


4 


2 


8 
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/ 


13 


7 


0 


9 


3 


4 


6 


10 


2 


8 


5 


14 


12 


11 


15 


1 


2 


13 


6 


4 


9 


8 


15 


3 


0 


4 


7 


2 


12 


1 


10 


14 


9 


3 


1 


10 


13 


0 


6 


9 


8 


7 


4 


15 


14 


3 


11 


5 


2 


12 


Substitution box 4 




0 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


14 


15 


0 


7 


13 


14 


3 


0 


6 


9 


10 


1 


2 


8 


5 


11 


12 


4 


15 


1 


13 


8 


11 


5 


6 


15 


0 


3 


4 


7 


2 


12 


1 


10 


14 


9 


2 


10 


6 


9 


0 


12 


11 


7 


13 


15 


1 


3 


14 


5 


2 


8 


4 


3 


3 


15 


0 


6 


10 


I 


13 


8 


9 


4 


5 


11 


12 


7 


2 


14 


Substitution box 5 




0 


1 


2 


3 


4 


5 


6 


7 . 


8 


9 


10 


11 


12 


13 


14 


15 


0 


2 


12 


4 


I 


7 


10 


11 


6 


8 


5 


3 


15 


13 


0 


14 


9 


1 


14 


11 


2 


12 


4 


7 


13 


1 


5 


0 


15 


10 


3 


9 


8 


6 


2 


4 


2 


1 


11 


10 


13 


7 


8 


15 


9 


12 


5 


6 


3 


0 


14 


3 


11 


8 


12 


7 


1 


14 


2 


13 


6 


15 


0 


9 


10 


4 


5 


3 


Substitution box 6 




0 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


14 


15 


0 


12 


1 


10 


15 


9 


2 


6 


8 


0 


13 


3 


4 


14 


7 


5 


11 


1 


10 


15 


4 


2 


7 


12 


9 


5 


6 


1 


13 


14 


0 


11 


3 


8 


2 


9 


14 


15 


5 


2 


8 


12 


3 


7 


0 


4 


10 


1 


13 


11 


6 


3 


4 


3 


2 


12 


9 


5 


15 


10 


11 


14 


1 


7 


6 


0 


8 


13 


Substitution box 7 




0 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


14 


15 


0 


4 


11 


2 


14 


15 


0 


8 


13 


3 


12 


9 


7 


5 


10 


6 


1 


1 


13 


0 


11 


7 


4 


9 


1 


10 


14 


3 


5 


12 


2 


15 


8 


6 


2 


1 


4 


11 


13 


12 


3 


7 


14 


10 


15 


6 


8 


0 


5 


9 


2 


3 


6 


11 


13 


8 


I 
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Substitution box 8 
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TABLE IV 

5 P - Permutation 
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TABLE V 

S-BOXESfrom DES prior art, in different format 
static char si[8] [64] = {H. 4, 13. 1. 2, 15. IJ. 8. 3. 10. 6. 12. 5. 9. 0. 7, 0. 15. 7. 
4. 14. 2. 13. 1. 10. 6. 12. 11. 9. 5. 3. 8. 4. 1, 14. 8. 13. 6. 2. 11. 15. 12. 9. 7. 3. 10. 
5 5. 0. 15. 12. 8. 2. 4. 9. 1. 7. 5. 11. 3. 14. 10. 0. 6. 13. 15. 1. 8. 14. 6. 11, 3. 4. 9. 

7. 2, 13. 12. 0. 5, 10. 3. 13, 4. 7. 15. 2. 8. 14. 12. 0. 1. 10. 6. 9. 11. 5. 10. 14. 7, 
11. 10. 4, 13. 1. 5. 8. 12. 6. 9. 3. 2. 15. 13. 8. 10. 1, 3. 15. 4. 2. 11. 6. 7. 12. 0. 5. 
14. 9. 10 0 9. 14. 6. 3. 15. 5. 1. 13. 12. 7. 11. 4, 2. 8. 13, 7, 0. 9. 3. 4. 6. 10. 2. 

8. 5. 14. 12. 11, 15. 1. 13. 6. 4. 9. 8. 15, 3. 0, 11, 1. 2. 12. 5, 10, 14. 7. 1, 10. 13. 
10 0. 6. 9, 8, 7. 4. 15. 14. 3. 11. 5. 2. 12. 7. 13. 14. 3. 0. 6. 9. 10. 1. 2. 8. 5. 11. 12. 

4. 15. 13. 8. 11. 5. 6. 15. 0. 3. 4. 7. 2. 12. 1, 10. 14. 9. 10. 6, 9. 0. 12, 11. 7. 13. 
_ 15. 1. 3. 14, 5. 2. 8. 4. 3. 15. 0. 6. 10. 1. 13. 8. 9, 4. 5. 11. 12. 7. 2, 14. 2. 12. 4. 

I. 7. W. 11. 6. 8. 5. 3. 15. 13. 0. 14. 9. 14. 11. 2, 12. 4. 7. 13. 1. 5. 0 15. 10. 3. 9. 

8. 6. 4, 2. 1. 11. 10. 13. 7. 8. 15. 9. 12. 5. 6, 3. 0. 14, 11. 8. 12, 7. 1. 14, 2. 13. 6. 
15 15. 0. 9. 10. 4. 5. 3. 12. 1. 10. 15. 9. 2. 6. 8. 0. 13. 3. 4, 14, 7. 5. 11. 10. 15. 4. 2. 

7. 12. 9, 5. 6. 1. 13. 14. 0. 11. 3. 8. 9. 14. 15. 5. 2. 8. 12. 3, 7. 0. 4. 10. 1. 13. 11, 
6. 4. 3. 2. 12. 9. 5. 15. 10. 11. 14. 1. 7. 6. 0. 8. 13. 4. 11. 2. 14, 15, 0. 8. 13, 3, 12, 

9. 7. 5. 10. 6. 1. 13. 0. 11. 7. 4. 9. 1. 10. 14. 3. 5. 12. 2. 15. 8. 6. 1. 4. 11. 13. 12. 
3. 7. 14. 10. 15. 6. 8. 0. 5. 9. 2. 6. 11. 13. 8. 1. 4. 10. 7. 9. 5. 0. 15. 14. 2. 3. 12. 

20 13. 2, 8. 4. 6. 15. 11. 1, 10, 9, 3. 14. 5. 0. 12. 7. 1. 15. 13. 8. 10, 3. 7. 4. 12. 5. 6. 

II. 0. 14. 9. 2. 7. 11. 4, 1. 9. 12. 14. 2. 0. 6. 10. 13. 15. 3. 5. 8. 2. 1. 14. 7. 4. 10. 

8. 13. 15. 12. 9. 0. 3. 5. 6. 11}: 
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APPENDICES: Add - PES (detailed analvjsisi , 
In DCS ihcrc are iwu XOR - operations in each round The first XORs the cxp|hclcd input wiih i!ic :;ubkcy 
within the F fuiiciiun while the ulhcr XORs. the output of the f- function with tfie other half ol ihc input 
data. Ihe followinii dcscnlKs the possible modification of Db'S which replace tEc XOR with the F 
tunciion hy addition operation. This variant of cryptosistcm we call ' add - DE^" 
Wc arc going to apply the technique of differential crvptanalysis to add • DPS. 
Fimt of all some prcliiiiiiiary remarks mainly of heuri5»tic character. 

1. According to general scheme of Biham and Shamir (BiSh93J we niusi choose the proper 
characlcristic as a h:ise for iterative characicri5;tic. The tenn "proper" means that iis prohahiliiy mast 
he better then probability of known one for original version of DES I * WcjvaiU to compare Uie 
cryptographic sirencth (if b<nh systems with initial conjecture that add - DBS is weaker than DRS * / 

2. Simple observation shows that the key addition of key K to each member ot plain icxls pair (R.n*) in 
general does change the XOR result E' = II+E* of this pair: 

K(I3) ' = (K-^E) e (K+E*) ^ R+E* = E ' 

3. Tliereforc one must describe the necessary conditions (5n right (P.P*) pair sutid niayhc on 'weak kevs" 
/ ♦ a priori, wc do not know whether we can develop a successful attach onany key. or only on special 
"weak" one * / which imply possibility of evaluation XOR result K(E)' after key addition. 

4. Such possibility permits u.n to choose cfHcicnUy CP,P*) pair with prcscribed^JCOR K{E)' for wliich one 
can apply different distributive tables DDT with best ptwsiblc probability. 

5. However what wn.^ said in paragraph 2. there i.s u class of (P,P*) pairs, for which addition e<in.scrves 
ihc XOR I esull, we mean (ILC*) pair with E'^O , i.e. E=E*. Therefore whfcn the XOR of the pairs 
are zeni the outputs arc equal too which makes all the keys equally likely. 

6. The above p<iint implies that we must try (E,n*) pair with E'aiO. In this case-w^.: obtain die nojit 
invariant: Key addition coi)jerv.e,sjihc poi^iiion of the last iiou zero bit iii£l XOK. 

7. If diis last non /.cro bit in R' • XOR belongs to Sj - box then we can say soniething more definite alwtit 
its postlion in $: If i 9£ » then the lastj^wg. bits of XOR - input fur Si - arc /.caj. 

Indeed otherwise according to definition of E - expansion . the last iw<i bits3n S, Ik>a coincide OAaclly 
with leadinj! two bits <jf Sj^i box. This contradicts with the choice of Sj box. 

8. One can prove -such statcment:.llj>i jijiicoidy S.bO)L.ljcu*, which. Ejdiffcr from ^cro. E' ti. man lor 
W>'i:ey .K the pjcalrabiljiy:i<LlKiE}j;=i:J!IL^Q 

9. The prtKif of above statement shows that the result XOR of key - addition K^') =( K+E)©(K+E* ) in 
this last important Si - box can be only one of ihc next values /* in hex sigaatiire N. = 4, X. C, 1 0, 
14^ . IK,. 1 C. 20.. 24», 28.. 2C\. 30„ 34.. 38.. 3C,. Thereiorc one can choose the iK\st candidates tor 
an attack: the best irnponant S; box together with proper . For example: 

Si ^ S4. and = 2K» = lOlCKX), 

10. Some reniar k s about ca rry. Wc are going to calculate all caro' in both additions: K+E and K+F.*, 
Suppose we have sum U+V=W in binary signature with corresponding hits ii( . v, and w, in i-th 

column, i = 0, I n. The preliminary value of sum in i-fl - th column is Sumj,, = u,+i Vj^, ^ 

carry,. Tlie real value of sum in i+I - th column is wpH = SunVi (mod 2). Sfhcc Uo+Vt, <= 1 + 1=2 wc 
have carryo <= I . Suppo.'ic that 0 <= earryi <= 1 . Then Sumi*i= Ui^,+Vi4.t+ cairyi <= 3. ITicrcfore 0 
ea^ry^n= (Sumi.,->*ri^,) / 2 <=l. So always.O <- Cftjxyi <=l . w,» Sumi- 2 cartyi- 

1 1 . Now we can research an aiiaek in tBiSh931: The Is-Si iniponani S - box is S^^ N,= 28, with p ( N. -* 0 
) « \(ilCA (the best possible probability for an isolated S - box. The pair ( P^* ) of plaintext with 
XOR r «if right halves. V = ()0()e{)000 = 0000 which after E - expansion in" 

0000 
0000 
1100 
0000 
0000 
0000 
OOIX) 

the first round transfers into the E' = 000000 = 000058000000. 

000000 
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000001 

onooo 

(XKKXX) 
000000 
000000 
000000 

The auihurs (Bi.Sh9:M declare Thai the addition of" the key K cause the inpuc^XOR to hccuinc 
K(F) • = (K-»-E)®(K+li'} = 000028000000 =000000 

000000 

000000 

K)I(KK) 

(KXKKK) 

0000(.KJ 

000000 

000000 

wiih probability of 1/16. Let us consider an arbitrary ( E,E* ) pair with fixed gives E' - XOR. 
According lo choice wc have for S3 and S4 boxes: 

t = . . . . a b X y 7. I . . .... a b* x y^ 7' 1 . . . = B* 

+ + 
K - . . - A B X Y Z T . . .... A B X Y Z r . . . = K 

K+E = . . . . A 8 X V Z T . . ... . A-fi- X* /-Z- TV . . = K+E 

( Here I he Nvmbois b and b' dcnoce opprisiic values. ) 

We denote corresponding carry in a-, b-. x-. y-. ... position for K + E and K E* by earry...c;irryr.,' 

and by carry/, carry^*, ... respectively. 
Lei us make s<ime obscrvntions about such c-arrics. 

12. lT<»in the above ( paragraph number 10): 

A = a + A + carryi, - 2carry, ; A* = a + A + carryb* - 2carry,*. 

According to assunipiion about key addition: A* = A hence carryb - 2carry^= carry,,* - 2carry..,*- 
Suppose that carry^ 3i carryc*. Then one *)f the pans of both cquatiotw has value, belonging u> 
{0. .2) while the other belongs to { ). .| J. Since JO. -21 ri ( I. -I } = 0 chisus conimdiciion. 
Tliercfore c;ury,. c:irryr*. and as a conscqucncc_c;jiTO:;.^i;ai:ry.n* . 

1 3. Without Joss of gcneraliiy one can assume thai b « 0. h' = I . In other case wc can swap i and I*. 
B = b + a + ciury, - 2carr>'b : B* = b' + B + carr>\* - 2carryh*. 

Since B = fi* wc have carry, = I + carr>',*. Therefore Ciu:ry., = I and cari v,* = O . 

14. X X + X + carry, - 2carry, : X* « x + X + carry^* - 2carry«*. 

According 10 assumption X* = X\ so -( x+X ) = carry, - 2 - X : -( x+X ) = carry/* - X" 
hence carry ^ - 2 - X = carry,* - X . Therefore: 

carry, = carry/ + 2 + ( X-X' ) >= carry/ + 2 + ( 0- 1 ) = carry/ + 1 > canyy*. 

X >= 0 ; X' <= I 
Thus carry, - I arid carrv^* = 0 

1 5. V = y + Y + carr>',. - 2carryy : V* » y' + Y * carry,* - 2carry^* 

According to ;u;sumption Y* = V. so y -4- carry, - 2 ~ y* + carry,* or y - y' - 2 « carry^*- - caiiy/. . 
H<iwevcr y - y' - 2 - I . if y = I while carry,* - carry, = 1 .if carry>* < cany, 
-3 , it y = 0 0 , if carry/ = carry. 

I .if carry / > earry^ 
Therefore for the only cornm(»n value of both parts, equal I. wc have y 1 an ti y^ = O . 

1 6. Wc acc that b « 0. y = I and b = I . y* = 0. The value of b- and y- bits in £ € Jikcly aj: viijue of 
corresponding bits in E* ) arc opposite to each other. However from the dcfiniiion of E - expansion 
these value must be coincide. This i.<; coniradiciion. So. instead of siaicmentthe auihors: 

There docs nnt exist such a key K. thai its addition cause the input XOR E' « 0(>0()5XO(XXMK) to 
l>ccurnc K(I:) ' = 000028000000. 
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WHAT IS CLAIMED: 

(1) A method for operating a general purpose data processor to enable said data 
processor to encrypt, the method comprising the steps of: 

(a) employing an arithmetic operation on a plurality of single size inputs yielding 
5 said plurality size single result, and 

(b) folding a distinct single size portion of said result in said plurality companion 
executions. 

(2) A machine for encrypting plain text-derived-input comprising: 
10 (a) a memory providing the s-boxes of DES as numbers, and 

(b) a combiner combining said numbers on a bit-by-bit basis 
with limited carry into the stream of said plain text-derived-input. 

(3) A method for a cryptographic primative to enable a data processor to perform said 
15 cryptographic primative on plain-text derived input, the method comprising the steps of: 

(a) selecting a cryptographically suitable mask depending on information available 
within the round function selected from the group of round number, block number, 
and data being encrypted, and 

(b) combining said mask into stream of said plain text-derived-input. 

20 

(4) A cryptobox machine comprising: 

(a) a plain text provider providing a plain text, 

(b) a subkey provider providing a plurality of subkeys, 

(c) a cryptobox employing said plain text and said subkeys to generate new 
25 subkeys, and 

(d) a connector providing said new subkeys to another cryptobox to process 
more plain texts. 

(5) A method for implementing substitution boxes in logic gates on a 32-bit 
30 microprocessor, the method comprising the steps of: 

(a) calculating combinations of 32-bit variables for repeated usage, and 

(b) employing 32-bit equations which accurately calculate a value of a single bit of 
output of the substitution box using the results of step (a). 

35 (6) A machine for data scrambling comprising a local scrambling operation and a 
permutation distributing bits from output of a given local scrambler to input of other local 
scramblers, comprising: 

(a) a local scrambler P which distributes four outputs among eight possible boxes, 

and 

SUBSTITUTE SHEET (RULE 26) 



BNSDOCID: <WO ^990841 1A2_L> 



wo 99/08411 



PCT/IL98/00369 



95 

(b) a global scrambler PP which distributes a plurality of outputs among groups of 
possible s-boxes to effect an extended P permutation. 

(7) A DES encryption method comprising: performing N DES rounds, including, for at 
least one l<-n<=N, performing an n'th DES round on a subkey and a plain text derived 
input to said n'th round wherein addition is substituted for exclusive-or in performing said 
n'th DES round, wherein a subkey is defined for each of said N rounds. 

(8) A WDES encryption method comprising: performing a plurality of rounds of 
WDES encryption, each round using a round function F; wherein, for the round function F 
of at least one round, a form of multiplication is substituted for exclusive-or. 

(9) A method for performing a round function of an iterated encryption for a plurality 
of 32-bit input blocks, the steps of the method being performed by a data processor, the 
method comprising the steps of: 

(a) numbering the plurality of input blocks from "0" to "n" with an input block 
number; 

(b) splitting each of the plurality of input blocks into an upper half and a lower half 
to produce plain text-derived input; 

(c) combining said plain text-derived input with a plurality of round-dependent 
subkeys according to a form of multiplication to form a blended product; 

(d) applying a plurality of s-boxes of the F function of a DES encryption algoridim 
to said blended product; and 

(e) applying the P permutation of the F function of a DES encryption algorithm to 
output of step (d). 

(10) The method of claim 9, further comprising: 

(a) applying said plurality of s-boxes in bit-slice fomi using logic gates. 

(11) The method of claim 9, further comprising: 

(a) selecting a mask determined according to a criteria selected from the group of a 
number of a round being performed and said input block number, and 

(b) combining said mask with said plain text-derived input. 

(12) The method of claim 9, wherein said form of multiplication features the steps of: 
(I) multiplying a plurality of bits from said plain text-derived input and a plurality 
of bits from said plurality of round-dependent subkeys to form a common 
multiplication product; and 

SUBSTITUTE SHEET (RULE 26) 



990841 1A2J_> 



wo 99/08411 



PCT/IL98/00369 



96 

(II) performing an exclusive-or function on a plurality of bits from said plain 
text-derived input and a plurality of bits from said plurality of round-dependent 
subkeys to form a balanced product. 

5 (13) The method of claim 12, wherein the step of combining said plain text-derived 
input with a plurality of round-dependent subkeys further comprises the steps of: 

(III) performing an addition function on said common multiplication product and 
said balanced product to form a pseudo-random product. 

10 (14) The method of claim 13, wherein the step of combining said plain text-derived 
input with a plurality of round-dependent subkeys further comprises the steps of 
performing a thorough folding operation on two pseudo-random products as follows: 

(IV) folding upper half of first pseudo random product into lower half of second 
pseudo random product to form first result, 

15 (V) folding lower half of first pseudo random product into upper half of second 

pseudo random product to form second result, and 

(VI) concatenating first result to second result to form folded product. 

(15) The method of claim 14, wherein the step of combining said plain text-derived 
20 input with a pluraUty of round-dependent subkeys further comprises the steps of 
performing a blending operation on two folded products as follows: 

(VII) concatenating lower half of first folded product with upper half of second 
folded product to form said blended product 

25 (16) The method of claim 14, wherein said folding operation is exclusive-or. 

(17) A machine for performing a cryptographic primative comprising: 

(a) a key-inserter which employs a form of multiplication for key insertion, 
whereby block length of the cryptographic primative is extended. 

30 

(18) A machine according to claim 17, wherein said form of multiplication in said key 
inserter comprises: 

(a) a multiplier which performs an operation as follows (a*b)'(a exclusive-or b). 

35 (19) A machine according to claim 17, further comprising: 

(a) an associator embodying a look-up-table implemented by bit-slicing. 

(20) A machine according to claim 17, further comprising: 

(a) a multiplier which performs an operation in chunks as least as large as a byte. 
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(21) A machine according to claim 17, further comprising: 

(a) a multiplier which performs individual multiplications over a Fermat filed with 
only a less than a logarithmic, in size of the field, number of exceptions. 

5 

(22) A machine according to claim 1 7, wherein said form of muldplication in said key 
inserter comprises: 

(a) a multiplier, performing common multiplication of arguments to yield a 
product, 

10 (b) a designator, designating the upper and lower half of said product, 

(c) a combiner, combining the upper half with the lower half using exclusive-or to 
form a final product, whereby the final product maintains behavior of modulo 
multiplication without the clear algebraic structure. 

i5 (23) A machine according to claim 17, wherein said form of multiplication in said key 
inserter comprises: 

(a) a first multiplier, performing common multiplication of arguments to yield a 
first product, 

(b) a second multiplier, performing common multiplication of other arguments to 
20 yield a second product, 

(c) a first designator, designating a upper and lower half of said first product, 

(d) a second designator, designating a upper and lower half of said second product, 

(e) a first combiner, combining the upper half of the first product with the lower 
half of the second product using exclusive-or to form a first final product, 

25 (f) a second combiner, combining the upper half of the second product with the 

lower half of the first product using exclusive-or to form a second final product, 
whereby enabling folding the result of the form of multiplication with a companion 
execution. 

30 (24) A machine according to claim 17, wherein said form of multiplication in said key 
insener comprises: 

(a) a multiplier to perform multiplication on a plurality of arguments to form a first 
product; 

(b) a first combiner to perform exclusive or on said plurality of arguments to form a 
35 second product; 

(c) a second combiner to perform addition between said first product and said 
second product to form a gorilla product. 
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(25) A folding machine according to claim 24 wherein said gorilla product is provided 
to a machine comprising: 

(a) a counter which counts said plurality of arguments, calling it n\ 

(a) a repeater which provides a new set of arguments and calculates n gorilla 
5 products; 

(b) a splitter which divides each gorilla product into n pieces, each with index i 
from Lm\ 

(c) a combiner which combines using exclusive-or n pieces such that the combine 
will take exactly one piece from each gorilla product, and exactly one piece of any 

10 gorilla product with the index / for all 1, such that said combiner yields a plurality 

of n folded products. 



(26) A method for constructing a key schedule for an encryption algorithm, the steps of 
the method being performed by a data processor, the method comprising the steps of: 
15 (a) determining a first set of at least one subkey for the encryption algorithm; 

(b) encrypting a master key according to the encryption algorithm by using said 
first set of at least one subkey to product a cipher text; 

(c) repeating step (b) for at least a first number of rounds required to achieve 
dependence of every bit of said cipher text on each bit of said master key; 

20 (d) repeating step (b) for an integral number of rounds, said integral number being 

at least one, extracting subkeys from output of said round(s). 
(e) repeating step (d) until a second set of subkeys has been generated. 



(27) The method of claim 26, further comprising the steps of: 

25 (i) deriving said first set of at least one subkey firom DES s-box entries. 

(28) The method of claim 26, further comprising the steps of: 

(i) deriving said second set of at least one subkey from the group of the output and 
intermediate values of round function in the encryption algorithm. 

30 

(29) The method of claim 26, further comprising the steps of: 

(0 encrypting said cipher text with said second set of at least one subkey according 
to the encryption algorithm to produce further encrypted cipher text, such that a third 
set of subkeys is created for use in encryption of actual plain text. 

35 

(30) A synunetric cryptobox machine comprising: 

(a) circuits employing at least a 128-bit key and block size. 



(31) A machine according to claim 30, wherein 
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(a) said circuits providing large key size are implemented by employing circuits 
providing a large block size. 

(32) A machine according to claim 30, further comprising: 
5 (a) an optimal sorting network performing combining, 

(33) A method for operating a general purpose data processor of known type to enable 
said data processor to encrypt employing a key schedule the method comprising the steps 
of: 

10 (a) feeding the full set of 64 key bits per block into a rearranged PC2 from DES. 

(34) A method according to claim 33, further comprising: 

(i) adding four to entries of PC2 with values above 28, prior to first usage in claim 

33. 

(35) A method according to claim 33, further comprising: 
(i) performing key schedule rotation 64 bits at once rather than two groups of 32 

bits. 



15 



20 (36) A method according to claim 33, further comprising: 

(i) causing sub key to depend on the serial number of the parallel execution. 

(37) A method according to claim 33, further comprising: 

(i) deriving sub key by finding a multiplicative inverse over a field. 

25 

(38) A method according to claim 33, further comprising: 

(i) replacing zero sub key by a round dependent mask value. 



(39) A method for automatically protecting confidentiality of information stored on a 
30 persistent storage medium, the information being organized into a plurality of files, the 

steps of the method comprising: 

(a) protecting a plurality of files of an automatic file-by-file basis, such that each 
of said plurality of files is automatically protected individually according to the 
steps of: 
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(i) using a cryptosystem to encrypt said at least one file, thereby generating an 
encrypted file; and 

(ii) storing said encrypted file on the persistent storage medium. 

5 (40) A method for protecting confidentiality of information written on a hard disk, the method 
comprising: 

(a) encrypting a file having a selectably known file key according to a first symmetric 
cryptosystem; and 

(b) encrypting said selectably known file key using a second symmetric cryptosystem and 
10 a selectably known master key derived from a selectably known pass phrase using a third 

symmetric cryptosystem wherein said third symmetric cryptosystem is operative as a 
cryptographically strong hash fimction. 

(41) The method of claim 40, wherein said first and said second symmetric cryptosystems are 
15 identical. 

(42) The method of claim 41, wherein said first, said second symmetric and said third symmetric 
cryptosystems are performed on a plurality of 32-bit input blocks, according to the steps of: 

(i) numbering the plurality of input blocks from "0" to "n" with an input block 
20 number; 

(ii) splitting each of die plurality of input blocks into an upper half and a lower 
half to produce plain text-derived input; 

(iii) combining said plain text-derived input with a plurality of round-dependent 
subkeys according to a form of multiplication to form a blended product; 

25 (iv) applying the P permutation of s-boxes of the F function of a DES encryption 

algorithm to said blended product; and 

(v) applying the P permutation of the F function of a DES encryption algorithm to 
output of step (iv). 

30 (43) The method of claim 40, wherein said first and said second symmetric cryptosystems are 
substantially different. 

(44) The method claim 40, wherein at least one of said first, said second and said third symmetric 
cryptosystems are performed on a plurality of 32-bit input blocks, according to the steps of: 
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(i) numbering the plurality of input blocks from "O" to "n" with an impute block 
number; 

(ii) splitting each of the plurality of input blocks into an upper half and a lower half to 
produce plain text-derived input; 

'5 (iii) combining said plain text-derived input with a plurality of round -dependent 

subkeys according to a form of multiplication to form a blended product; 

(iv) applying a plurality of s-boxed of the F function of a DES encryption algorithm 
to said blended product; and 

(v) applying the P permutation of the F function of a DES encryption algorithm to 
10 output of step (iv). 

(45) A method according to claim 40 further comprising the steps of: 

(c) decrypting said seiectably known file key using said second symmetric cryptosystem and 
said seiectably known masterkey; and 
15 (d) decrypting said file using said seiectably known file key and said first symmetric 

cryptosystem. 

(46) A method according to claim 40» wherein said cryptographically strong hash function comprises 
a MAC (message authentication code). 

20 

(47) The method according to claim 40, wherein the persistent storage medium is operated by a 
computational device having a sleep mode, said computational device having a RAM (random access 
memory), such that all information on said RAM is encrypted and written to the persistent storage 
medium as a single unit. 

25 

(48) The method according to claim 40, wherein the persistent storage medium is operated by a 
computational device having a stand-by mode, said computational device having a RAM (random 
access memory), such that at least a portion of information on said RAM is encrypted. 

30 (49) A system for protecting confidentiality of information stored on a persistent storage medium, the 
system comprising: 

(a) an automatic file-by*file information protector operative to protect a plurality of files on 
an automatic file-by-file basis, the information protector including : 

(i) a symmetric encryptor using a symmetric cryptosystem to encrypt each of said 
35 plurality of files as an individual file, thereby to generate an encrypted individual file; 

and 
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(ii) a storage manager for the persistent storage medium operative to store the 
encrypted individual file on the persistent storage medium. 

(50) A DES encryption method comprising: 

5 (a) performing N DES rounds, including. 

for at least one l<=n<=N, performing an n'th DES round on a sub key and a plain text 
derived input to said n'th round wherein addition is substituted for exciusive-or in performing 
said n'th DES round, 

wherein a sub key is defined for each of said N rounds and wherein at least some of said N 
10 sub keys are dependent. 

(51) A method according to claim 50, wherein all of said N sub keys are derived from a standard key 
schedule. 

15 (52) A method according to claim 50 wherein said plain text derived input to said n'th round (n>l) 
comprises an output of a round previous to said n'th round. 

(53) A method according to claim 50 wherein said plain text derived input to said first round 
comprises at least a portion of said plain text. 

20 

(54) A method according to claim 50 wherein said step of performing N DES rounds comprises 
performing a bit-slice implementation of DES. 

(55) A method according to one of claims 9 or 50, wherein for at least one l<-n<-N, said step of 
25 combining a plurality of key-to-sub key operations thereby to obtain an (n+i)th sub key, is performed 

substantially before the (n+l)th round is performed. 

(56) A method according to claim 55, wherein for at least one l<=n<=N, said step of combining a 
plurality of key-to-sub key operations thereby to obtain an (n | l)th sub key is performed before the 

30 n'th round is performed. 

(57) A method according to claim 55, wherein for at least one l<=n<=N, said step of combining a 
plurality of key-to-sub key operations thereby to obtain an (n+l)th sub key is performed before the 
use of the n*th sub key. 

35 
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(58) A method according to claim 55, wherein for at least one l<=n<=N, said step of combining a 
plurality of key-to-sub key operations thereby to obtain an (n+l)th sub key is performed before 
completing the use of the n'th sub key. 

(59) A DES encryption method, the steps of the method being performed by a data processor, the 
steps of the method comprising: 

(a) performing N>16 DES rounds, including, for at least one 1< - n < - N, performing an n'th 
DES round a sub key and a plain text derived input to said n'th round wherein addition is 
substituted for exclusive-or in performing said n'th DES round. 



(60) A DES encryption system comprising: 

(a) an addition-based DES encryptor operative to perform N DES rounds including, for at 
least one 1< = n <=N, 

(b) a round-performer performing an n'th DES round on a sub key and 

15 (c) a plain-text-derived-input provider providing a plain text derived input to said n'th round 

wherein an adder operative to perform addition rather than exclusive-or is used to perform 
said n'th DES round, wherein a sub key is defined for each of said N rounds and wherein at 
least some of said N sub keys are dependent. 

20 (61) A DES encryption method, the steps being performed by a date processor having 32 bit registers, 
the steps of the method comprising: 

(a) performing N DES rounds, including, for at least one l<=n<=N, performing an n'th DES 
round on a sub key and a plain>text derived input to said n'th round to perform a bit-slice 
implentation of DES. 

25: 

(62) A DES encryption method, the steps being performed by a data processor having registers of 
fewer than 64 bits, the steps of the method comprising: 

(a) performing N DES rounds, including, for at least one l<=n<=N, performing an n'th DES 
round on a sub key and a plain text derived input to said n'th round to perform bit-slice 
30 implementation of DES. 

(63) A DES encryption method, the steps being performed by a data processor, the steps of the 
method comprising: 

(a) computing a sub key for each of N DES rounds, at least some of said N sub keys being 
35 dependent, by combining a plurality of key to sub key operations into a single key to sub key 

operation on a DES key, thereby to provide a sub key; and 

(b) performing N DES rounds. 
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(64) A DES encryption method, the steps being performed by a data processor, the steps of 
the method comprising: 

(a) using first and second permutations and a mapping to perform each of N DES rounds, 
wherein the first permutation includes a left half of L* and a right half R* and wherein 

5 L* comprises a composition of an inverse P permutation and a left half, L, of an 

initial permutation, and wherein R*, comprises a composition of the inverse P 
permutation and a right half, R, of the initial permutation, wherein the second 
permutation includes a left half of L** and a right half R** and wherein L** 
comprises a composition of the P permutation and a left half of the final permutation, 

10 and R** comprises a composition of the P permutation and a right half of the final 

permutation, and, wherein the mapping comprises a composition of the P 
permutation with an E expansion. 

(65) A DES encryption method, the steps being performed by a data processor, the steps of the 
15 method comprising: 

(a) performing N DES rounds, including, for at least one l<=n<=N, performing an n'th 
DES round on a sub key and a plain text derived input to said n'th round wherein 
addition is substituted for exclusive-or in performing said n'th DES round, wherein 
said step of performing N DES rounds comprises performing a bit-slice 
20 implementation of DES. 

(66) A DES encryption method, the steps being performed by a data processor, the steps of the 
method comprising: 

(a) performing N DES rounds, including, for at least one l<=n<=N, generating an n'th 
25 k-bit s-box input by performing an n'th DES round on a k-bit sub key and a k-bit plain 

text derived input to said n'th round wherein multiplication in which any carry beyond 
k bits is discarded, is substituted for exclusive-or in performing said n'th DES round. 

(67) A method according to claim 66, wherein all of said N sub keys are derived from a 
30 standard key schedule. 

(68) A method according to claim 66, wherein said plain-text derived input to said n'th round 
(n>l) comprises an output of a round previous to said n'th round. 

35 (69) A method according to claim 66, wherein said plain text derived input to said first round 
comprises at least a portion of said plain text. 

(70) A method according to claim 66, wherein N>1 6. 
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(71) A DES encryption system comprising: 

(a) a DES encryptor operative to perform N>16 DES rounds, including, for at least one 
l<=n<=N, 

(b) a round-performer performing an n'th DES round on a sub key and 

(c) a plain text derived input provider operative to provide a plain text derived input to 
said n'th round wherein addition is substituted for exclusive-or in performing said n'th 
DES round. 

(72) A method according to claim 66 wherein said step of performing an n'th DES round 
comprises performing a bit-slice DES round. 

(73) A method according to claim 66, wherein a sub key is defined for each of said N rounds 
and wherein at least some of said N sub keys are dependent. 

(74) A DES encryption method, the steps being performed by a data processor, the steps of the 
method comprising: 

(a) performing N DES rounds, including, for at least one l<=rn<=N, performing an n'th 
DES round on a sub key and a plain text derived input to said n'th round wherein 
addition is substituted for exclusive-or in performing said n'th DES round, wherein 
said step of performing N DES rounds comprises performing a bit-slice 
implementation of DES. 

(75) A WDES encryption method, the steps being performed by a data processor, the steps of 
the method comprising: 

(a) performing a plurality of rounds of WDES encryption each round using a round 
function F of at least one round, addidon, with final carry neglected is substituted for 
exclusive or. 

(76) A DES encryption method comprising: performing N DES rounds, including for at least 
one l<=n<=N, generating an n'th k-bit s-box input by performing an n'th DES round on a 
k-bit sub key and a k-bit plain text derived input to said n'th round wherein multiplication, 
performed over a ring, is substituted for exclusive-or in performing said n'th DES round. 

(77) A method according to claim 76, wherein said multiplication over a ring comprises 
multiplication over a finite field. 

(78) A method according to claim 76, wherein said ring has a modulus and said modulus is a 
product of less than 5 primes. 
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(79) A method according to claim 77, wherein said ring has a modulus and said modulus is a 
product of less than 4 primes. 

(80) A method according to claim 77, wherein said ring has a modulus and said modulus is a 
5 product of 2 primes. 

(81) A method according to claim 77, wherein said ring has a modulus and said modulus is 
prime. 

10 (82) A method according to claim 77, wherein said ring has a modulus and said modulus 
comprises a product of a plurality of primes at least one of which slightly exceeds an 
exponent of 256. 

(83) A method according to claim 77, wherein said ring has a modulus and said modulus 
15 comprises a product of a plurality of primes at least one of which slighdy exceeds an 

exponent of 65536 such as 65536 or iP" or "f^ or 2^. 

(84) A method according to claim77, wherein said ring has a modulus and said modulus 
comprises a product of a plurality of primes at least one of which is slightly less than an 
exponent of 256. 

20 

(85) A method according to claim 77, wherein said ring has a modulus and said modulus 
comprises a product of a plurality of primes at least one of which slightly less than an 
exponent of 65536 such as 65536 or ip- or or 2^. 

25 (86) A method according to claim 77, wherein said step of performing an n'th DES round 
comprises performing a bit-slice DES round 

(87) A DES encryption system comprising: 

(a) a DES encryptor for performing N>16 DES rounds, including, for at least one 
30 l<=n<=N, an addidon-based DES engine operative to perform an n'th DES round on 

a sub key and a plain text derived input to said n*th round wherein addition rather than 
exclusive or is used to perform said n'th DES round. 

(88) A DES encryption system comprising: 

35 (a) a DES encryptor for performing N DES rounds, including, for at least one l<=n<=N, 

a DES engine operative to perform an n'th DES round on a sub key and a plain text 
derived input to said n'th round; and 
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(b) a computer having registers whose size is less than 64 bits, wherein said DES 
encryptor is configured to perform said N DES round including performing a bit-slice 
implementation of DES while running on said computer. 



5 (89) A DES encryption system comprising: 

(a) a sub key computation engine operative to compute a sub key for each of N DES 
rounds, at least some of said N sub keys being dependent, the sub key computation 
engine including a single key-to-sub key operation and performing said single key-to- 
sub key operation on a DES key, thereby to provide a sub key; and 
10 (b) a DES engine operative to perform N DES rounds using said N sub keys. 

(90) A DES encryption system comprising: 

(a) a DES encryptor using first and second permutations and a mapping to perform each 
of N DES rounds, the DES encryptor comprising: 

(i) a first permutation provider providing the first permutation which includes a 
15 left half L* and a right half R* and wherein L* comprises a composition of an 

inverse P permutation and a left half L of an initial permutation, and wherein 
R* comprises a composition of an inverse P permutation and a right half R of 
an initial permutation, 

(ii) a second permutation provider providing the first permutadon which includes 
20 a left half L** and a right half R** wherein L** comprises a composition of 

the P permutation and a left half L of a final permutation, and wherein R** 
comprises a composition of the P permutation and a right half R of a final 
permutation, and 

(iii) a mapping provider providing the mapping which comprises a composition of 
25 . the P permutation and the E expansion. 

(91) A DES encryption system comprising: 

(a) a DES encryptor operative to perform N DES rounds, including an addition-based 
DES engine performing, for at least one l<n<N, an n'th DES round on a sub key and 
30 a plain text derived input to said n'th round wherein addition rather than exclusive or 

is used in performing said n'th DES round, wherein said N DES rounds are 
performed by performing a bit-slice implementation of DES. 



(92) A DES encryption system comprising: 
35 (a) a DES encryptor operative to perform N DES rounds, including an s-box input 

provider operative to provide for at least one l<=n<=N an n'di k-bit s-box input by 
performing an n'th DES round on an k-bit sub key and a k-bit plain text derived input 
to said n'th round wherein multiplication with any carry beyond k bits is discarded, is 
used, rather than using exclusive or in performing said n'th DES round. 
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(93) A DES encryption system comprising: 

(a) a DES encryptor operative to perform N DES rounds, including an addition-based 
DES engine operative, for at least one l<=n<=N, to perform an n'th DES round on a 
5 sub key and a plain text-derived-input to said n'th round wherein addition rather than 

exclusive or is used in performing a bit-slice implementation of DES. 

(94) A WDES encryption system comprising: 

(a) a WDES encryptor operative to perform a plurality of rounds of WDES encryption, 
10 each round using a round function F, said WDES encryptor including an addition- 

based WDES engine operative for the round function F of at least one round to 
perform addition with final cany neglected rather than performing exclusive or. 

(95) A WDES encryption system comprising: 

15 (a) a WDES encryptor operative to perform a plurality of rounds of WDES encryption; 

each round using a round function F, said WDES encryptor including a common 
multiplication-based WDES engine operative for the round function F of at least one 
round to perform common multiplication with final carry neglected rather than 
performing exclusive-or. 

20 

(96) A DES encryption system comprising: 

(a) a DES encryptor operative to perform N DES rounds, the DES encryptor including, 
for at least one l<=n<=N, an s-box input provider operative to provide an n*th k-bit 
s-box input by performing an n'th DES round on a k-bit sub key and a k-bit plain text 
25 derived input to said n'th round wherein said n'th DES round includes performing 

multiplication over a ring rather than performing exclusive-or, 

(97) A method for performing a cryptographic primative employing a key schedule comprising 
the steps of: 

30 (a) feeding the full set of 64 key bits per block into a rearranged PC2 from DES. 

(98) A method according to claim 97, further comprising at least one of the following: 

(i) adding four to entries of PC2 with values above 28, prior to first usage in 
claim 97. 

35 (ii) performing key schedule rotation 64 bits at once rather than two groups of 32 

bits. 

(iii) causing sub key to depend on the serial number of the parallel execution. 

(iv) deriving sub key by finding multiplicative inverse over a field. 

(v) replacing zero sub key by a round dependent mask value. 
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(99) A machine for performing a cryptographic primative comprising: 

(a) a key-inserter which employs a form of multiplication for key insertion, whereby 
block length of the cryptographic primative is extended. 

5 

(100) A machine according to claim 99, wherein 

(b) a logic-gate implementation of a bit-slice representation of at least one component of 
said cryptographic primative. 

10 (101) A machine according to claim 100, wherein said component is a plurality of s-boxes. 

(102) A machine according to claim 99, wherein said cryptographic primative is 

(b) a WDES encryptor operative to perform a plurality of rounds of WDES encryption 
employing a plurality of WDES-round encryptors. 

15 (c) at least one WDES-round encryptor has a form of multiplication substituted for 

exclusive-or as key-inserter. 

(103) A machine according to claim 99 operative on plain-text derived input, further 
comprising: 

20 (b) a memory providing a series of numbers having no known concise description, and 

(c) a combiner combining said numbers on a bit-by-bit basis with limited carry into the 
stream of said plain-text derived input. 

(104) A machine according to claim 103, wherein said memory provides the s-boxes of DES as 
25 numbers. 

(105) A machine according to claim 103, wherein said memory provides digits selected from the 
group consisting of mathematical constants pi and e. 

30 (106) A machine according to claim 99, operative to extend the effect of the P permutation 
comprising: 

(b) a permuter whose local effect, within a group of 8 s-boxes, is identical to that of said 
P permutation, and 
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(c) said permuter whose global effect is to apply a reduced P permutation between a 
collection of s-boxes. 



(107) A nmchine according to claim 99 on a plurality of input blocks, wherein 
5 (b) a splitter operative to split each of the plurality of inputs blocks into an upper half and a 

lower half to produce plain text derived input. 

(c) a combiner combining said plaintext derived input with a plurality of round dependent 
subkeys according to a form of multiplication to form a blended product in at least one round: 

(d) a sbox engine applying a plurality of s-boxes of the F function of DES encryption 
10 algorithm to said blended product; and 

(e) a perimeter applying the P permutation of output of said engine. 



(108) A machine according to claim 107, wherein 

(c) said combiner combines said plaintext derived input with a plurality of round dependent 
subkeys by employing addition as the form of multiplication to form a blended product. 

(109) A machine according to claim 99, wherein said form of multiplication in 
said key inserter comprises: 

(a) a multiplier performing common multiplication of arguments to yield a product. 

(b) a designator, designating an upper and a lower half of said product. 

(c) a combiner, combining the upper half with the lower half employing exclusive-or to form 
a final product. 



(110) A machine according to claim 99, wherein said form of multiplication in said key inserter 
25 comprises. 

(a) a first multiplier, performing common multiplication of arguments to yield a first product. 

(b) a second multiplier, performing common multiplication of other arguments to yield a 
second product. 

(c) a first designator, designating an upper and lower half of said first product. 

^ second designator, designating an upper and lower half of said second product. 

(e) a first combiner, combining the upper half of the first product with the lower half of the 
second product using exclusive-or to form a first final product. 

(f) a second combiner, combining the upper half of the second product with the lower half of 
the first product using exclusive-or to form a second final product. 
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(111) A machine according to claim 99, wherein said form of multiplication operative in the 
cryptographic primative with plaintext derived input further comprises: 

(i) a multiplier operative to multiply a plurality of bits from said plaintext derived input. 

(112) A machine according to claim 99, operative as a hash function, 

(a) said hash function providing ciphertext output. 

(b) a folder providing a folding operation on said output. 

(1 13) A machine according to claim 99, comprising: 

(a) a permutation combiner providing a composition of a P permutation with a final 
permutation, and providing a composition of an inverse P permutation with an initial 
permutation. 

(1 14) A machine according to claim 99, comprising: 

(a) a mapping combiner providing a con^osition of a P permutation and an E expansion. 

(115) A machine according to claim 99, comprising: 

(a) a s-box combiner providing a composition of at least two of the following, e-expansion, s- 
boxes, and p permutation. 

(1 16) A machine according to claim 99, said primitive further comprising: 

(b) a folding device operative to perform folding among a plurality of results of employed 
form of multiplication. 

(1 17) A machine according to claim 99, said primative further comprising: 

(b) a blending device operative to perform blending among a pair of results of employed form 
of multiplication. 

(118) A cryptobox machine comprising: 

(a) a plain text provider providing a plain text. 

(b) a subkey provider providing a plurality of subkeys. 

(c) an inner cryptobox employing said plain text and said subkeys to generate new subkeys, 
and 

(d) a connector providing said new subkeys to another cryptobox to process more plain texts. 
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(1 19) A machine according to claim 1 18 further comprising: 

(e) said inner cryptobox also providing a ciphertext output, whereby encryption occurs a 
block at a time and infortnation is transfered from encryption of one block to another via the 
new subkeys. 

5 

(120) A machine according to claim 1 18 further comprising: 

(e) a Feistel structure with a place for a round function box. 
(0 a round function box providing round-output of said new subkeys, 
whose input as plaintext is said plain text from said plain text provider, and whose input as 
0 key is said subkey from said subkey provider. 

(121) A machine according to claim 120 further comprising: 

(g) a cryptobox key provider providing a cryptobox key. 

(h) a cryptobox machine operative to encrypt said round function box output employing a 
5 cryptobox key, yielding revised round function box output employing a cryptobox key, 

yielding revised round function box output used in said Feistel structure. 

(122) A machine according to claim 1 18 wherein said inner cryptobox comprises: 

(a) a subkey provider providing a plurality of subkeys. 
> (b) a local cryptobox encrypting a master key according to encryption 

algorithm by using said subkey to produce a cipher text; 

(c) a dependency ensurer cryptobox which ensures dependence of every bit of said cipher 
text on each bit of said master key by employing a plurality of said local cryptoboxes in 
sequence using previous cipher text as plain text: 

(d) a new subkey extractor providing a single new subkey employing said local cryptobox to 
provide said new subkey and a new cipher text: 

(c) a masterkey mixer employing a series of local cryptoboxes, at least zero times in series 
using previous cipher text as plain text. 

(123) A machine according to claim 118 comprising: 

(a) employing said inner cryptobox a pluraltiy of times, using new subkeys of previous as 
subkey of next time, using cipher text of previous as plain text of next time, yielding new 
subkeys of final time as output 
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(124) A method for automatically protecting confidentiality of information stored on a persistent 
storage medium, the informatin being organized into a plurality of files, the steps of the method 
comprising: 

(a) protecting a plurality of files on an automatic file-by-file basis such that each of said 
5 plurality of files is automatically protected individually according to the steps of: 

(i) using a cryptosystem to encrypt said at least one file, thereby geneiating an 
encrypted file: and 

(ii) storing said encrypted file on die persistent storage medium. 

(125) The mediod according to claim 124. wherein the persistent storage medium is operated by a 
computation device having a sleep mode, said computational device having a RAM (random access 
memory), such that all information in said RAM is encrypted and written to the persistent storage 
medium as a unit. 

15 (126) The method according to claim 124. wherein the pensistent storage medium is operated by a 
computational device having a sleep mode, said computational device having a RAM (random access 
memory), such that at least a portion of information in said RAM is encrypted. 



10 



20 



25 



30 



(127) The method according to claim 124, wherein a ramdisk is used to store key material. 

(128) A method according to claim 124, comprising the steps of: 

(129) A method according to claim 124, comprising the steps of: 

(b) performing a portion of said cryptosystem using a logic-gate implementation of a bit-slice 
representation of at least one component of said cryptosystem. 

(130) A method accordmg to claim 124, said cryptosystem comprising the steps of: 

(a) providing plain text 

(b) providing a plurality of subkeys, 

(c) cnq>loying said plain text and said subkeys to generate new subkeys. and 

(d) providing said new subkeys to another cryptosystem to process more plain texts. 
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Figure 1 



Number the 32-bit input blocks 0..n; 
split each block into upper and lower halves 

110 



Optionally, Xor plaintext derived input with round 
and input block number dependant mask. 120 
Optio nally derive mask from s-boxes. 



Employ a form of multiplication to combine plaintext derived 
input (output from step 1 10 or 120) with round dependent subkeys. 
Preferably and Optionally, employ common multiplication of the two arguments 
plus xor of the two arguments. 1 30 



Fold the result of two multiplications together. 
Preferably and Optionally, fold is xor upper half of one multiplication 

with the lower half of the other. 
Preferably, concatenate the results together to form a full-size number. 140 







Fold the result of the previous folding to 
effect folding of four distinct multiplications together. 
Preferably, fold by concatenation of the lower half of the first argument 
with the upper half of the second argument. 150 












Optionally, perform the E expansion mapping 
just immediately before the s-boxes 
or prior to the multiplication step. 160 





I 



Apply s-boxes (bit-slicing logic gates opt. 
Apply the P permutation, 170 
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Figure 2 



Key-inserter to employ 
a form of multiplication 
for key insertion 

210 



Optionally 
form < 
comprises ( 


key-inserter employs 
3f multiplication 
:a*b)+(a XOR b) 220 






Optionally 
form 
is modulo o^ 


, key inserter employs 

of multiplication 

ver a Fermat field 230 



Optionally, key inserter employs 
form of multiplication is conmnion 
multiplication with upper and lower 



halves fo 



ded together 240 



Optionally, key inserter employs 
form of multiplication 
is common multiplication with 
upper and lower halves folded into 
companion executions 250 



Optionally, key inserter employs form 
of multiplication which takes more than two 

arguments, for example, a, b, c 
comprising (a*b*c)+(a XOR b XOR c) 260 



Optionally, key inserter 
in machine which employs bit-slicing s-boxes 270 
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Figure 3 



Employ an operation on two inputs 
yielding a double-size result, 

folding half of result 
into a companion execution, 

310 



WO 99/08411 
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Optionally, employ an operation 
on plurality of n inputs 
yielding a n-sizc result, 
split into n equal pieces 
folding n-l pieces of result 
into a companion execution, 

320 



Optionally, employ an operation 
for which each of the n pieces are labeled /=0,.n-l 
ensure that when folding no two pieces 
with same label i are folded into a given 
execution even if the label / refers to 
pieces in distinct executions 

'^:^n 



Optionally, employ an operation 
on two inputs yielding a double-size result 

in order to mix two distinct arguments. 
This may be applied a plurality of times. 340 
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Figure 4 



Set encryption algorithm to use a set of subkeys 
which are known in advance. 
Optionally, derive the subkeys from DES s-boxes entries, 

410 





Encrypt the desired master key 






at least the number of rounds 






to achieve dependence of every bit 






of the ciphertext on each bit of the masterkey. 








420 








Encrypt further an integral number of rounds. 


typically 1, 4, 8 or 16. 


Use output of s-boxes (step 170) as desired subkeys. 






430 





Repeat previous step 






until sufficient subkey material is 






pseudo-randomly generated for all the rounds. 






Typically 16 times. 








440 








Optionally, set the encryption keys to be 


the subkeys generated (in steps 430-440) 


and encrypt the ciphertext generated (by going to step 420). 




450 
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Figure 5 

A hasher using 
at least a 128-bit key 
and block size 510 



A hasher functional as a hash function wherein every bit of key and every bit of 
plaintext cause every single bit of the resultant ciphertext to become unpredictable 



A hasher which implements large key size by 

circuits providing a large block size, creating 
a key scheduler able to perform key schedules in 
zero additional time, creating a long-range mixer 
able to thoroughly mix input over the entire block size. 

A rapid-key-schedule-designer deterministically 
converts anv similar hasher into a kev schedule. 53( 



Optional, optimal sorting network providing 
a large block size extendable to arbitrary sizes. 

540 
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Figure 6 



Encrypt employing a key schedule comprising 
feeding the full set of 64 key bits per block 
into a rearranged PC2 from DES. 

whereby the all of the key bits 
provided by the user are employed. 

610 



Optionally, use entries of PC2 with values 
above 28 have four added to them, 
whereby the key schedule 
will be balanced left and right halves. 

620 



Optionally, carry out key schedule 
rotation 64 bits at a time 
rather than in two groups of 32 each. 



630 



Optionally, modify subkey based on 
on the serial number of the parallel execution, 
whereby even if masterkey 
repeats exactly that subkeys will not. 

640 



Optionally, derive subkey by 
finding a multiplicative inverse over a field, 

650 



Optionally, replace zero subkey with 
a round dependent mask value. 660 
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Figure 7 



a form of multiplication 
features the steps of: 



(1) mulUpiymg a plurality or bus 
from plaintext-derived input 
and a plurality of bits from plurality 
of round-dependent subkeys 
to form a conunon multiplication product; 

710 



(ii) performing an exclusive-or function 
on a plurality of bits from plaintext-derived input and a 
plurality of bits from plurality of round-dependent subkeys 
to form a balanced product, 720 



(iii) Preferably, performing an addition function 
on common multiplication product and balanced product 
to form a pseudo-random product, 

730 



(iv) folding upper half of first pseudo random 
product into lower half of second pseudo 
random product to form first result. 740 



(v) folding lower half of first pseudo random 
product into upper half of 
second pseudo random product 

to form second result. 750 



(vi) concatenating first result to second result 
to form a folded product. 760 



(vii) concatenating lower half of first folded product 
with upper half of second folded product 

to form a blended product. 770 



SUBSTITUTE SHEET (RULE 26) 



BNSDOCID: <WO ^99084 11A2J_> 



wo 99/08411 



PCT/IL98/00369 



8/36 



Figure 8 



extended P Permutation machine 810 



I 



■ ' local permuter distnDuung 

bits from output of a given local scrambler 
approximately evenly to input of other local scramblers. 820 



Designator designating S-box output: 
Enumerator numbering S-box output bits from 0..3; 830 



Case 1: Block size is one. 
Mapper mapping from 0.3 to 0,.3 respectively. 840 



Case 2: Block size is two, swap one public and one private bit 
Mapper mapping from 0, 2 to 0, 2 of other block. 
Mapper mapping from 1.3 to 1,3 of current block. 850 



Case 3: Block size is three, export a public bit to each neighbor. 
Mapper mapping from 1,2 to 1, 2 of current block. 
Mapper mapping from 0 to 0 of next block 
Mapper mapping from 3 to 3 of previous block 

mL 



Case 4: Block size is four, send one bit to each block 

Mapper mapping from 0 to 0 of current block 

Mapper mapping from 1 to 1 of next block 

Mapper mapping from 2 to 2 of next next block 

Mapper mapping from 3 to 3 of previous block 
870 



SUBSTITUTE SHEET (RULE 26) 



BNSOOCID: <W0 ^990841 1 A2_L> 



wo 99/08411 



PCT/IL98/00369 



9/36 



Figure 9 



Given X,Y.A,B,C,D 



Compute all 6 complements of each 
X, y, a, b, c, d 

920 



Compute 4 binary products (and) 
of X,Y with complements 

930 



+ 



Compute 8 ternary products (and) 
of X, Y, A with complements 



940 



1 • 

Compute 4 binary products (and) 
of C, D with complements. 950 



I 



Compute 8 ternary products (and) 
of B, C, D with complements 

960 




1 1 — 

Compute 4 binary sums (or) 
of C, D with complements 

970 

1 1 ^ 




_ 1 

Compute 8 temarys 
of B and (C or D) with complements 




1 ' 

Compute 2 exclusive ors 

C xor D and c xor D 

Q80 





Compute 4 binarys 
of B and (C xor D) with complements 

985 



Compute 4 products of 
B with C with complements, then 

B with D with complements 
Therewith build table entries.990 
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Figure 10 



create a set of masks 
AlO 



initialize the masks to zero 
A20 



let each mask be composed of nibbles from 
entries in the s-box table 
such each s-box table entry is used exactly once 
A30 



TABLE I 
Key Selection Permutation Table 



14 


17 


11 


24 


1 


5 


45 


56 


35 


41 


51 


59 


3 


28 


15 


6 


21 


10 


48 


53 


43 


60 


38 


57 


23 


19 


12 


4 


26 


8 


34 


44 


55 


49 


37 


52 


16 


7 


27 


20 


13 


2 


50 


46 


54 


40 


33 


36 
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Figure 11 



Predetermined 
Initial subkeys 



Master 
Key 



Symmetric 
Cipher e.g. 
TMD 



Encrypted 
Master Key 



Master-key 

derived 

subkeys 



Predetermined 
Initial subkeys 



Master 
Key 



Symmetric 
Cipher e.g. 
TMD 



Master-key 

derived 

subkeys 



Encrypted 
Master Key 



Plaintext 



Symmetnc 
Cipher e.g. 
TMD 



Chaining value 
as new subkeys 



Ciphertext 



Plaintext 






Symmt 
Cipher 
TMD 


^tric 
e.g. 






Ciphertext 



Chaining value 
as new subkeys 



Plaintext 



Symmetric 
Cipher e-g. 
TMD 



Chaining value 
as new subkeys] 



Ciphertext 
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Figure 12 



Number the 32-bit input blocks 0..n; 
split each block into upper and lower halves 

CIO 



Use a form of multiplication to combine 
plaintext derived input (output from step CIO or C20) 
with round dependent subkeys. C30 



Fold the result of two multiplications together 

C40 

Fold the result of the previous folding to 
effect folding of four distinct multiplications together. 

C50 

Apply E expansion mapping 

C60 

Apply the s-boxes 
Apply the P permutation. C70 
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Figure 13 



Set encryption algorithm to use a set of subkeys 
which are known in advance. 
Optionally, derive the subkeys from constants available 
elsewhere in the implementation. 



DIO 





Encrypt desired master key at least number 
of rounds to achieve dependence of every 
bit of ciphertextoneachbitof masterkey. 

D20 








Encrypt further an integral number of rounds. 
Use the intermediate values generated within a round 
to as building blocks to form desired subkeys. 

D30 




_J , 






Repeat previous step 
until sufficient subkey material is 
pseudo-randomly generated for all the rounds. 
Method used for key generation may differ from 
that employing these generated subkeys. D40 



optionally, set encryption keys to subkeys 

generated (steps D30-D40) 
and encrypt the ciphertext generated (by going to step D20). 
Optionally, use method to generate a masterkey 

from a shorter supplied key material. l>^u 



SUBSTITUTE SHEET (RULE 26) 



BNSDOCIO: <WO ^990841 1A2J_> 



wo 99/08411 



14/36 



PCT/IL98/00369 



Figure 14 



MultiDES 

INTERNAL ROUND 

(64 block size. 64 key size) 



Input is 32 bit piece 




32 



Expansion 



48 



Substit 
box 


ution 
es 


32 





P-Permutation 



Expansion, permutation and 
substitution boxes shown are 
typically those appearing in 
prior art DES 

MuUiplicaiion section blowup shown in Figure 16 
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Feistel Structure 

TMD 
( 128 block 128 key) 
PLAINTEXT 




128 

CIPHERTEXT 



Initial round 



14 rounds 



Final round 



Legend for figures 14-16: 
{+) indicates exclusive-or 
( ) indicates a form of multiplication 
n with a 'V inside is standard addition 
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Figure 16 



MultiDES 

INTERNAL ROUND 
Multiplication Section detail 

(64 block size, 64 key size) 





To XOR of upper and 
lower halves 
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Figure 17 

Legend figures 17-19: 

( ) receives 32-bit inputs, yields 64-bit output 
(+) receives 32-bits inputs, yields 32-bit output 

TMD: INTERNAL ROUND 
Two MultiDES Rounds 
(128 block size, 128 key size) 







KEY 




I 
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Figure 18 

TMD: INNER ROUND FUNCTION 
Three rouncis of MuItiDES in tandem 

Input is 96 bit piece 



31 



32 



32 




Expansion 



Expansion 



Substitution boxes 



Expansion 



Substitution boxes 



Substitution boxes 



Permutation Permutation Permutation 
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Figure 19 

TMD INNER ROUND FUNCTION 
Four rounds of MultiDES in tandem 

(256 block size, 256 key size) 

Input is 128 bit piece 




Expansion 



Expansion 



Substitution boxes 



Expansion 



Substitution boxes 



Permutation 



Expansion 



Substitution boxes 



Permutation 



Substitution boxes 



Permutation 



Permutation 
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Figure 20 



Detect intention to write to a cluster c 



10 



Trap information provided fay a user which is intended to be written 
to cluster c (or to a portion of a file using a file handle) and use a 
svinmetric cryptosystem to encrypt said information 



20 



Store said information as cluster c (or to a portion of a file 
using a fiJe handle) on a notebook computer 



30 
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Figure 21 



provide a pass phrase e.g. choose any combination of human 

language-iike words containing ideally 80 to 90 or more bits of entropy. 100 



provide k MAC key (typicalh 


^ k at most 128 bits) 110 


A 




process the pass phrase using MD5-N^ 
final step 6 in which a full i 28-bit qua 


' — - — ■■ 

[AC and k with preferably modrSed 
tntity is obtained. 120 



Partition the 128-bit quantity into a pair of 64-bit quantities to 
obtain a key protection key (typically 56 or 64 bits) and a key 
generation key (typically 56 or 64 bits). 130 



generate a file key using figure 3 and the key generation key. 

140 
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Figure 22 



given a sector of a DOS directory and the offset 1 < j < 17 of a 
particular file entry within it, generate a cryptographic key (typically 
DES) as follows: 200 



provide 8 b>tes per directory entry starting at 16 Hex, 36 Hex, 56 Hex, 
etc. obtaining 16 64-bit intermediate keys (typically DES) niimbered ' 
0<i< 17. 



210 



encrypt using an algorithm with 64-bit block size and 64-bit key size 
(typically DES) with intermediate key i as plaintext and intermediate 
key j as the key to obtain an intermediate value as ciphertext. 220 



encrypt using an algorithm with 64-bit block size and 64-bit key size 
(t>picaily DES) with intermediate key i as plaintext and intermediate 
value from the previous encryption as the key to obtain a new 
intermediate value as ciphertext. 230 



V 




1 






i< 17 Y| 


240 1 












encrypt using an algorithm with 64-bit block size and 64 -bit key size 

(typicaUy DES) with the resulting intermediate value for i=16 as 
plaintext and key generation key from the MD5-MAC (tvpicallv as in 
figure 2) as the key to obtain a file key as ciphertext. ' ' 260 
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Figure 23 



Generate a symmetic cipher key (typically iising figure 3) 



300 



Encrv-pt a file or directory with a symmetic cipher (t3rpically DES, 
typically in accordance with figure 7) 3 10 



Encrypt the file key as plaintext using a key protection key (typically 
generated using figure 2) as key with a symmetric cipher to obtain a 
protected file key 



Store the protected file key in a conveniently locatable place on the 
disk (rv-picallv in the last bytes of the last cluster allocated to the 

x-, X ' 330 

file). 
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Figure 24 



Generate a symmetic cipher key (typically using figure 3) 



400 



Encrypt a file or directory with a symmetic cipher and store the key 
(typically using figure 4) 410 



provide a key protection key (typically generated using figure 2) 



420 



Retrieve the protected file key fi-om a conveniently locatable place on 

the disk (typically in the last bytes of the last cluster allocated to 
the file). Typically the sector number of a given sector of the file is 
given fi-om which is derived the last cluster of the file using the DOS 
File Allocation Table. 



Decrvpt the protected file key as ciphertext using a key protection key 
(typically generated using figure 2) as key vnth a symmetric cipher to 
obtain a file kev 



Decr>pt the file using the file key as the key using conventional 
methods (or typically using figure 7) 450 
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Figure 25 





Provide a key (typically generated in figure 3). 

500 






Provide a sector number of the data to be encrypted. ^ ^ ^ 






Derive using conventional means from the sector number information which 
is unique to the presently installed hard disk and current Jo^f s";^^ 
as hard drive number, cylinder number (0..1023), sector number {1..17). 
number of the read/write heads (0.. 1) to obtain a location senal numbe^r^ 
(typically 15 or more bits long). 






Partition a sector (typically 5 12 bytes) based on the syrnmetnc cipher 
block size (typically 256 bytes) into plaintext blocks (tXP'cally 2 

blocks) Typically, use a fast parallel bit-wise vector miplementation 
of DES %vith common multipUcation with final carry discarded or 

multiplication over a ring substituted for xor when combmmg the sub 

kev with the plaintext derived input. 










Using die location serial number as the initial vector, encrypt the 
sector with cipher-block^haining using conventional methods. 
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Figure 26 
Provide a key (typically generated in figure 3). 



600 



:k ■ 

Provide a sector number of the data (typically within a file) to be 
encrypted. 



Derive using conventional means firom the sector number information which 
is unique to the presently installed hard disk and current location such 
as hard drive number, cylinder number (0..1023), sector number (L.17), 
number of the read/write heads (0. . 1 ) to obtain a location serial number 

(typically 15 or more bits long). 



Partition a sector (typically 512 bytes) based on the symmetric cipher 

block size (typically 8 bytes) into plaintext blocks (typically 64 
blocks). ' 



Using the location serial number as the initial vector, encrypt the 
sector with cipher-block-chaining using conventional methods. 



640 
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Figure 27 

Generate a first permutation which includes a left half and a right 
half R* and wherein L* is generated by composition of an inverse P 
permutadon and a left half^ of an initial permutation, and wherein 
R* is generated by composition of the inverse P permutation and a tight 
half R, of the initial permutation. 100 

I 

Generate a second permutation which includes a left half L** and a right 

half R** and wherein L** is generated by composition of the P 
permutation and a left balf« L, of a final permutation, and wherein R** 
is generated by composition of the P permutation and a right halt R, of 
the final pennutation. 105 



Generate a mapping by composition of the P permutation with an 
E-cxpansion 

i ~ 



Generate plain-text derived input by performing first permutation on 
plain texL ^ 



Run 56 one-bit variables through a DES key schedule and record 16 48-bit 
subkcys in terms of the 56 variables, thereby generating a subkey table 

^ 

n»l 

125 



120 



Compute subkcy for n*th round by plugging in 56-bit DES key as input to 
Uie l((n - I) modulo 16) +l]'th subkcy in subkey table 



130 



T 



Use PC with 32-bit register lo perform n*th DES round on n*th subkey and 
plain-text derived input but substitute addition for XOR. Use fig 4 
implementation of this step if steps lOO-l 10 are peifonned 



135 



If n = integer multiple of 16, replace DES key 



140 



I 



n «n+l 



145 



i 



n>48? 



Generate cipher text by performing second permutation on 64-bii round 
output of the last DES round 
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Figure 28 



Provide 48-bit subkey e.g. derive dependent 48-bit subkey from DES key 
using standard key schedule 200 



Expand right half of 64-bit plain text derived input from 32 bits to 48 

bits, using 64-bit round output from previous rotmd as plain text 
derived input for rounds I < n < N and using plain text as plain text 
derived input for round n = I 210 



Generate 48-bit sura of 48-bii subkey plus 48-bit expanded right half, 
ignoring final cany if any 220 



Partition 48-bit sum into 8 6-bit sum portions 



230 



For each 6-bit sum ponion, perform table look-up to obtain a 4-bit 
quant2t>' 



Concatenate the 8 4-bit results of table look-up to obtain a 32-bit 
quantity 



Permute 32-bit quantity 



260 



Generate 64-bit round output as follows: 
lefl half of 64-bit quantity is right half of plain text derived 
input; and right half of 64-bit quantity is XOR of left half of plain text 
derived input and permuted 32-bit quantity. 270 
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Figure 29 



Provide 48-bit subkcy and generate 48 subkey-denved mtegers^ whcrcui 

i-th subkey derived integer (1 <= i <= 48) is aU I's .f the . th b.t of 
subkcy is I and all O's if the t'th bit of the subkey is 0. 



Use expansion uble to associate (with repetition) one of the 32 right 
hSf Se^xs with each of 48 cell positions, thereby to define an tU 
right half integer for each 1 <= i<= 48 



Sum i-th subkey derived integer with i'th right half integer for ^h 
lT= i <= 48. ignoring final cany, to obtain a sequence of 48 
values 



Partition sequence of 48 sum values into 8 subsequences including 6 ^ 

values each — 



X 



~or each subsequence of 6 sum v^ues. perlorm a 
o^r^dons to obtin a subsequence of 4 s-box outputs, thereby obtainmg 
a first sequence of 32 s-box outputs 



I 



Based on DES p-permutation .able, generate --^rsT^^^^S 
between the serial numbers from 1 to 32 and between j;; ^^ ^ 
Z the first sequence, thereby to define a permuted sequence of U« .2^^ 

S-box outputs 




Generate an output sequence of 64 integer as follo^^^ 
first half of output sequence is mtegers 33-64 in sequence 
64 plain text derived integers; and 
second half of output sequence is XOR of '""^^f J^" 
^uence of 64 plain text derived integers with permuted 
sequence of 32 s-box outputs 



370 
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Figure 30 

Provide 48-bii sub key e.g. derive dependent 48-bit subkcy from DES key 
using standard key schedule 



i-dicu III bicjj 1 10 to expand and pennuic right half of 
64-bit plain text derived input from 32 bits to 48 bits, using 64-bit 
round output from previous round as plain text derived input for rounds 

1. 



Use mapping generated in step 
64 -bit plain text derived inpi 
3und output from previous round as plain text aenvea in 
< n < N and using plain text as plain text derived input 



for round n = 
410 



Generate 48-bit sum of 48-bit subkey plus 48-bit expanded nght half, 
ignoring final carry if any "^^^ 



Partition 48-bit sum into 8 6-bit sum portions 



430 



For each 6-bit sum portion, perform table look-up to obtain a 4-bit 

440 

quantity 



Concatenate the 8 4-bit results of table look-up to obtain a 32-jMt 
quantity 



Generate 64 -bit round output as follows: 
left half of 64-bit quantity is right half of plain text derived mput: and 
right half of 64-bit quantity is XORof left half of plain text 
derived input and 32-bit quantity generated m step 450. 
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Figure 31 



Provide 48-bit subkey e.g. derive dependent 48-bit subkey from DES key 
using standard key schedule 



Ignoring final can^ if any. generate 48-bit sum of 48-bit subkey plus 
48-bit expanded right half from previous round (in first round, use 
convcnnonai expansion permutation to expand right half of 64-bit plain 



text) 



I 



Panioon 48-bit sum into 8 6^3it sum portions and store each sum 
Doition in an addressable memory unit e.g. store each sum pomon m a 

byte and use 2 remaining bits in byte to hold to seleaed bits m the^^ 
48-bit sum. 



For each such byte (or bit portion), perform table look-up to obtain a 
permuted expanded 32-bit quantity ^ 



XOR the S quantities geneiated in previous step to yield a 32-bit XOR 
output. 



Generate 64-bit round output as foUows: 
left half of 64-bit round output is right half of plain '^^denj^ 

ridit half of 64-bit round output is XOR of the left half of plain 
text derived input and 32-bit XOR output. 



550 



i. 



E^and nght half of 64-bit plain text derived input from 32 bits to 48 
■^S i 64-bit round output from prions round as plain te« 
derived inptt for rounds 1 < n < N and using pbun te.xt as plam rc^ 



derived input for round n - 1 . 
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Generate a first pennutadoa which includes a left half and a right 
half R* and wherein L* is generated by composidon of an inverse P 
permutation and a left halC L, of an initial permutation, and wherein 
R* is generated by composition of the inverse P permutation and a right 
haiC R. of the initial permutation. 1 100 



T 



Generate a second permutation which includes a left half L*^ and a right 

half R** and wherein L**^ is generated by composition of Uie P 
permutation and a left hal£ of a final permutation, and wherein R*^ 
is generated by composition of the P permutation and a right haLC R, of 

the final permutadon. 1 105 



Generate a mapping by composition of the P permutation with an 
E-expansion IHO 



Generate plain*text derived input by performing first permutation on 
plain text. 1 1 13 



Run 36 one-^it variables through a DES key schedule and record 16 48-bit 
5ubke>'s in terms of the 56 variables, thereby generating a subkey table 



1120 



n«l 



1125 



Compute subkey for n'th round by plugging in 564}it DES key as input to 
the (((n - I) modulo 16) +irth subkey in subkey table 1 130 



T 



Use PC with 32-bit register to perform n'th DES round on n*tii subkey and 
plain-text derived input but substitute common multiplication with final 
carry discarded or nxultiplication over ring in stead of XOR. Use fig 9 
implementation of this step if steps 1 100- 1 1 10 are performed 



1135 



If n = integer multiple of 16, replace DES key 



1140 



T 



n = n + I 



1145 



n > 48 ? 



1150 



I Gtrneratc cipher cext by perforrmng second permuiaoon on 64-bit rotmd 
output ot tJie tast DES round 1 155 
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Figure 33 



Provide 48-bil subkcy e.g. derive dependent 48^rt subkcy from DES^^^ 
using standard key schedule 



T 



Exnand right half of 64^it plain text derived input from 32 bits to 48 

^ using 64-bit round output from previous round as Plam te« 
dcSU input for rounds I < n < N and using plain text as plam t«a^ 
derived input for round n - 1 



I . — 

Generate 48-bit product of 484,it subkcy times 48*it expand^ nghl 
S using coLion multiplication with final carry discarded or_^^ 
multiplication over a ring 



Partition 48-bit product into 8 6-bit product portions 



1230 



"For each 6-bit product portion, perform table look-up to obtain a 4^-bit 
quantity ^ 



Concatenate 
quantity 



the 8 4^it results of table look-up to obtain a 32-bit 



1250 



Permute 32-bit quannty 



1260 



Generate 64-bit round output as follows: 
left half of 64.bu quantity is ^aif of pUun^^^^^ ^^^^ 
input: and right half of 64.bit quantity is XOR of left hall p ^^^^ 
' derived input and permuted 32-bit quantity. ^ 
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Figure 34 



Provide 48-bit subkcy and generate 48 subkey-derived integers, wherein 

rth subkcv derived integer (I <= i <= 48) is all Vs if the i'th bit of 
subkcy is 1 and all O's if the i'th bit of the subkcy is 0. 1300 



Use expansion table to associate (with repetition) one of the 32 right 
lialf integers with each of 48 ceil positions, thereby to define an i'th 
right half integer for each I <= i <= 48 1320 



Multiply i'th subkcy derived integer by i'th right half integer for each 
l<= i <= 48 to obtain a sequence of 48 product values, usmg common 
multiplication with final carry discarded or raultipUcation over a ring 



1 



Partition sequence of 48 produO values into 8 subsequences i«ciuciing^6 
product values each 



T 



For each subsequence of 6 sum values, perform a series of logic gate 
operations to obtain a subsequence of 4 s-box outputs, thereby obt^nj^S^ 
a first sequence of 32 s-box outputs ^ 



I 



Based on DES p-permuiation table, generate a one-to-one correspondence 
^^n .he seriaTnumbers from I to 32 and bet^v^n the ^^^^^^^f^^ 
in the first sequence, thereby to define a permuted sequence of the 32 
s-box outputs 



I 



Generate an output sequence of 64 integers as follows: 
first half of output sequence is integers 33-64 in sequence of 
64 plain text derived integers; and 
second half of output sequence is XOR of integers I - 32 in 
sequence of 64 plain text derived integers with permuted 
sequence of 32 s-box outputis 



1370 
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Figure 35 



Provide 48.bit subkey e.g. derive dependent 48-bit subkey from DES kqj^ 
using standard key schedule 

1 



use mapping generated in step I UO to expand and permute "ghthatf of 

explain text derived input from 32 bits to 48 bits, using 64^tt 
ro^^mi fion. pnrvious tound as plain text derived mput for rounds 
?< n and using plain text as plain text derived mput for round n - 



1 

1 



■generate 48-bit pnxiua of 48-bit subkey times 48-bit expand^ right 
using common multipUcation with final cany discarded or^^ 
multiplication over a ring 



i 



Partition 48-bit produa into 8 6-bit product portions 



1430 



I 



For each 6-bit produa portion, perform table look-up to obtain a 4^it 
quantity — 



concatenate the 8 4-bit results of table look-up to obtain a 32-bit^ 
quantity . . ■ 



Generate 64-bit round output as follows: 
left half of 64-bit quantity is right half of plain text derived input, and 
'"^ ^g^t half of'64-bit quantity is XOR of left half of pl^n teM 
derived input and 32-bit quantity generated m step 14dO. 
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Figure 36 



Provide 48-bit subkey eg. derive dependent 48'bit subkey from DES key 
using standard key schedule 150q 



Generate 48-bit product of 48-bit subkey times 48-bit expanded right 
half from previous round (in ixist round, use conventional expansion 
pennutation to expand right half of 64-bit plain text) 1510 



Partition 48-bit product into 8 6-bit product portions and store each 
product pordon in an addressable memory unit e.g. store each sixm 
portion in a byte and use 2 remaining bits in byte to bold to selected 
bits in the 48-bit product. 1520 



For each such byte (or bit portion), perform table look-up to obtain a 
permuted expanded 32-bit quantity 1530 



XOR the 8 quanddes generated in previous step to yield a 32-bit XOR 
output. 1540 



Generate 64-bit round output as follows: 
left half of 64-bit round output is right half of plain text derived input; and 
right half of 64-bit round output is XOR of the left half of plain 
text derived input and 32-bit XOR output. 



1550 



i 

Expand right half of 64-bit plain text derived input from 32 bits to 48 

bits, using 64-bit round output from previous round as plain te.xt 
derived input for rounds 1 < n < N and using plain text as plain text 
derived input for round n = 1. 1560 
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